Lyceum News Desk ·

CVE-2026-3535 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-3535 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-3535 is an arbitrary file upload vulnerability affecting the DSGVO Google Web Fonts GDPR plugin for WordPress, caused by missing file type validation in the plugin's core font download function.

Technical Detail

The flaw exists in the DSGVOGWPdownloadGoogleFonts() function, which fails to validate the file type of content being downloaded and written to the server. An attacker who can trigger this function can upload arbitrary files, including server-side scripts, potentially achieving remote code execution (RCE) on the underlying web server. All versions of the plugin up to and including the affected release are vulnerable, and depending on server configuration, successful exploitation could result in full site compromise or lateral movement within shared hosting environments.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning public proof-of-concept code and confirmed in-the-wild exploitation have not been observed as of April 15, 2026. This status should be monitored closely given the critical CVSS score of 9.8.

Who Is Targeting This

No specific threat actor attribution at this time. WordPress plugin vulnerabilities of this class are frequently targeted opportunistically by automated scanning tools and low-sophistication actors seeking to establish web shells or persistent access on vulnerable sites, but no specific campaigns or named actors have been linked to this CVE.

What To Do

WordPress site administrators running the DSGVO Google Web Fonts GDPR plugin should update to the latest patched version immediately, treating this as a high-priority patch given the critical severity rating and the potential for unauthenticated or low-privilege file upload leading to RCE. If no patch is yet available, the plugin should be deactivated and removed until a fix is confirmed. Defenders should review web server logs for unexpected file creation events in plugin directories and scan for recently uploaded PHP or script files in the WordPress uploads and plugin paths. Web application firewall rules restricting file upload content types can serve as a compensating control in the interim.

CVE

Free intelligence, delivered to your inbox.