{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3535/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3535"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DSGVO Google Web Fonts GDPR plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-upload","rce","CVE-2026-3535"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to a flaw in the \u003ccode\u003eDSGVOGWPdownloadGoogleFonts()\u003c/code\u003e function. This vulnerability, identified as CVE-2026-3535, affects all versions of the plugin up to and including 1.1. The vulnerable function lacks file type validation and is accessible without authentication via a \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hook. An unauthenticated attacker can exploit this by submitting a URL that points to a CSS file. The plugin then extracts URLs from the CSS file's content and downloads those files to a publicly accessible directory on the WordPress server. The absence of file type validation allows the attacker to upload arbitrary files, including PHP webshells, leading to remote code execution. The exploit is limited to sites using specific themes, including twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable theme and the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CSS file hosted on a server they control. This CSS file contains URLs pointing to a PHP webshell.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the WordPress site's \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint, triggering the \u003ccode\u003ewp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts\u003c/code\u003e action. The request includes a parameter pointing to the malicious CSS file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDSGVOGWPdownloadGoogleFonts()\u003c/code\u003e function fetches the attacker-controlled CSS file.\u003c/li\u003e\n\u003cli\u003eThe function parses the CSS file and extracts the URLs, including the URL pointing to the PHP webshell.\u003c/li\u003e\n\u003cli\u003eThe function downloads the PHP webshell to a publicly accessible directory within the WordPress installation, such as \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e. Because of the missing validation, the PHP file is saved.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP webshell via a direct HTTP request to the file's location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server via the PHP webshell, gaining control of the WordPress site and potentially the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP webshells, onto vulnerable WordPress installations. This leads to remote code execution, potentially granting the attacker complete control over the affected web server. The attacker can then steal sensitive data, deface the website, install malware, or use the compromised server as a launching point for further attacks. Given the widespread use of WordPress, a large number of websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the DSGVO Google Web Fonts GDPR plugin to a version patched against CVE-2026-3535 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect WordPress Plugin Arbitrary File Upload Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for requests to download files via the vulnerable function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual files within the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory, especially PHP files, as indicators of successful exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect PHP Webshell Upload via DSGVO Google Web Fonts GDPR Plugin\u003c/code\u003e to detect the writing of php files to the uploads directory.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to block requests targeting the \u003ccode\u003ewp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts\u003c/code\u003e action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-wordpress-plugin-upload/","summary":"The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to unauthenticated arbitrary file upload due to missing file type validation, allowing attackers to upload PHP webshells and achieve remote code execution.","title":"DSGVO Google Web Fonts GDPR WordPress Plugin Arbitrary File Upload Vulnerability (CVE-2026-3535)","url":"https://feed.craftedsignal.io/briefs/2024-01-29-wordpress-plugin-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-3535","version":"https://jsonfeed.org/version/1.1"}