<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>DSGVO Google Web Fonts GDPR Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dsgvo-google-web-fonts-gdpr-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dsgvo-google-web-fonts-gdpr-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>DSGVO Google Web Fonts GDPR WordPress Plugin Arbitrary File Upload Vulnerability (CVE-2026-3535)</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-wordpress-plugin-upload/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-wordpress-plugin-upload/</guid><description>The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to unauthenticated arbitrary file upload due to missing file type validation, allowing attackers to upload PHP webshells and achieve remote code execution.</description><content:encoded><![CDATA[<p>The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to a flaw in the <code>DSGVOGWPdownloadGoogleFonts()</code> function. This vulnerability, identified as CVE-2026-3535, affects all versions of the plugin up to and including 1.1. The vulnerable function lacks file type validation and is accessible without authentication via a <code>wp_ajax_nopriv_</code> hook. An unauthenticated attacker can exploit this by submitting a URL that points to a CSS file. The plugin then extracts URLs from the CSS file's content and downloads those files to a publicly accessible directory on the WordPress server. The absence of file type validation allows the attacker to upload arbitrary files, including PHP webshells, leading to remote code execution. The exploit is limited to sites using specific themes, including twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site using a vulnerable theme and the vulnerable plugin.</li>
<li>The attacker crafts a malicious CSS file hosted on a server they control. This CSS file contains URLs pointing to a PHP webshell.</li>
<li>The attacker sends a request to the WordPress site's <code>wp-admin/admin-ajax.php</code> endpoint, triggering the <code>wp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts</code> action. The request includes a parameter pointing to the malicious CSS file.</li>
<li>The <code>DSGVOGWPdownloadGoogleFonts()</code> function fetches the attacker-controlled CSS file.</li>
<li>The function parses the CSS file and extracts the URLs, including the URL pointing to the PHP webshell.</li>
<li>The function downloads the PHP webshell to a publicly accessible directory within the WordPress installation, such as <code>/wp-content/uploads/</code>. Because of the missing validation, the PHP file is saved.</li>
<li>The attacker accesses the uploaded PHP webshell via a direct HTTP request to the file's location.</li>
<li>The attacker executes arbitrary commands on the server via the PHP webshell, gaining control of the WordPress site and potentially the underlying server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP webshells, onto vulnerable WordPress installations. This leads to remote code execution, potentially granting the attacker complete control over the affected web server. The attacker can then steal sensitive data, deface the website, install malware, or use the compromised server as a launching point for further attacks. Given the widespread use of WordPress, a large number of websites are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the DSGVO Google Web Fonts GDPR plugin to a version patched against CVE-2026-3535 to remediate the vulnerability.</li>
<li>Implement the Sigma rule <code>Detect WordPress Plugin Arbitrary File Upload Attempt</code> to detect attempts to exploit this vulnerability by monitoring for requests to download files via the vulnerable function.</li>
<li>Monitor web server logs for access to unusual files within the <code>/wp-content/uploads/</code> directory, especially PHP files, as indicators of successful exploitation.</li>
<li>Implement the Sigma rule <code>Detect PHP Webshell Upload via DSGVO Google Web Fonts GDPR Plugin</code> to detect the writing of php files to the uploads directory.</li>
<li>Consider using a Web Application Firewall (WAF) to block requests targeting the <code>wp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts</code> action.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>file-upload</category><category>rce</category><category>CVE-2026-3535</category></item></channel></rss>