An unauthenticated arbitrary file upload vulnerability in the Google Web Fonts GDPR plugin for WordPress exposes sites to full system compromise via remote code execution.

This is an arbitrary file upload vulnerability caused by missing file type validation in the DSGVOGWPdownloadGoogleFonts() function. Because the function is exposed via an unauthenticated wp_ajax_nopriv_ hook, an unauthenticated attacker can upload malicious files, such as PHP webshells, to the server.

A successful exploit allows an attacker to achieve remote code execution, granting them full control over the compromised WordPress instance. Given the CVSS score of 9.8, this represents a critical risk that could lead to complete data exfiltration, site defacement, and the deployment of persistent malware, resulting in severe reputational and operational damage.

Immediate Action: Update the Google Web Fonts GDPR plugin to the latest available version immediately. If an update is not available, deactivate or remove the plugin until a patch is verified.

Proactive Monitoring: Review web server access logs for suspicious POST requests to the plugin's AJAX endpoints and monitor for newly created files in the upload directories.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block unauthorized access to the wp-admin/admin-ajax.php endpoint specifically for this plugin's function if possible.

Public Exploit Available: No

This vulnerability is critical due to the lack of required authentication for exploitation. Administrators must prioritize updating this plugin immediately to prevent potential system takeovers. If immediate patching is not possible, the plugin should be disabled to eliminate the attack vector.