DSGVO Google Web Fonts GDPR Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in the DSGVO Google Web Fonts GDPR plugin for WordPress, specifically in versions through 1.1. The issue arises from inadequate file type validation in the 'DSGVOGWPdownloadGoogleFonts' function, which is accessible via a 'wp_ajax_nopriv_' hook, requiring no authentication. The function retrieves a user-supplied URL as a CSS file, extracts font URLs, and downloads the files to a publicly accessible directory. This lack of validation enables unauthenticated attackers to upload arbitrary files, including PHP web shells, potentially leading to remote code execution. Exploitation requires the site to be using certain themes, including Twenty Fifteen, Twenty Seventeen, Twenty Sixteen, Storefront, Salient, or Shapely.

Impact

Successful exploitation allows for arbitrary file uploads, which can be executed on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, upload the DSGVO Google Web Fonts GDPR plugin version 1.1 or earlier on a WordPress site using one of the vulnerable themes. Once the plugin is activated, send a request to the 'wp_ajax_nopriv_DSGVOGWPdownloadGoogleFonts' endpoint with a 'fonturl' parameter containing a URL to a CSS file. The plugin will download the file to a publicly accessible directory without validating the file type, allowing for the upload of malicious files such as PHP web shells.