Arbitrary File Upload Vulnerability in DSGVO Google Web Fonts Plugin for WordPress
CVE-2026-3535

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Dsgvo Google Web Fonts Gdpr
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3535?

The DSGVO Google Web Fonts GDPR plugin for WordPress is susceptible to arbitrary file upload due to inadequate file type validation in its functionality. The DSGVOGWPdownloadGoogleFonts() function, which is publicly accessible without authentication, retrieves CSS files based on user-supplied URLs. This presents a significant security risk, as attackers can exploit this vulnerability to upload arbitrary files, including PHP webshells, to the server. The exploitation requires specific themes to be in use, potentially allowing unauthorized file execution on affected sites.

Affected Version(s)

DSGVO Google Web Fonts GDPR 0 <= 1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/dsgvo-google-w...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Nabil Irawan

CVE-2026-3535 Data

JSON