This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical code flaw in the 'DSGVO Google Web Fonts GDPR' WordPress plugin. π **Consequences**: Attackers can upload arbitrary files without permission, leading to **Remote Code Execution (RCE)**.β¦
π‘οΈ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). The plugin fails to validate file types during upload processes. π« No checks = No security.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin **DSGVO Google Web Fonts GDPR**. π **Version**: **1.1 and earlier**. π’ **Vendor**: mlfactory. If you use this GDPR font plugin, you are at risk.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Unauthenticated access. π Upload ANY file (e.g., web shells). π» Execute arbitrary code on the server. π Full control over the website and potentially the underlying system.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Exploitation Threshold**: **LOW**. CVSS Vector: **AV:N/AC:L/PR:N/UI:N**. π Network accessible. π« No Authentication required. π« No User Interaction needed. Extremely easy to exploit.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: The data lists **no specific PoC** in the `pocs` array. However, the vulnerability is well-documented with source code references. β οΈ Wild exploitation is likely given the low barrier to entry.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Check WordPress Plugins list for 'DSGVO Google Web Fonts GDPR'. 2. Verify version is **β€ 1.1**. 3. Scan for file upload endpoints in `dsgvo-google-web-fonts-gdpr.php` (Lines 46 & 159).β¦
π₯ **Urgency**: **CRITICAL**. CVSS Score is **High** (implied by H/I/A ratings). π¨ Unauthenticated RCE is a top-tier threat. π **Action**: Patch or remove **IMMEDIATELY**. Do not wait.