Overview
This article details a critical security vulnerability, identified as CVE-2025-12666, affecting the “Google Drive Upload and Download Link” WordPress plugin. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw that could allow attackers to inject malicious JavaScript code into your website. This code can then execute in the browsers of other users who visit the affected pages, potentially leading to data theft, account compromise, or website defacement. All versions of the plugin up to and including 1.0 are affected.
Technical Details
The vulnerability lies within the ‘atachfilegoogle’ shortcode of the plugin. Specifically, the ‘link’ parameter is not properly sanitized or escaped. This means that an authenticated user with Contributor-level access or higher can inject arbitrary HTML and JavaScript code into a page or post. When another user (including administrators) visits the page containing the malicious shortcode, the injected script will execute.
Example of a malicious shortcode:
[atachfilegoogle link="<script>alert('XSS Vulnerability!');</script>"]
The code above injected via the ‘link’ parameter will cause an alert box to pop up when the page containing the shortcode is visited. A real-world attack could involve injecting code to steal cookies, redirect users to phishing sites, or perform other malicious actions.
CVSS Analysis
- CVE ID: CVE-2025-12666
- Severity: MEDIUM
- CVSS Score: 6.4
- CVSS Vector: (Calculation of the CVSS vector is beyond the scope of this response, but the score reflects the potential for significant impact with moderate exploit complexity.)
A CVSS score of 6.4 indicates a medium severity vulnerability. While the attacker requires authentication to exploit the vulnerability, the widespread use of the plugin and the potential for significant impact make this a serious issue.
Possible Impact
Successful exploitation of this vulnerability could have several serious consequences:
- Account Takeover: An attacker could steal administrator cookies and gain full control of the WordPress site.
- Data Theft: Sensitive information, such as user credentials or customer data, could be stolen.
- Website Defacement: The attacker could modify the content of the website, defacing it or displaying malicious messages.
- Malware Distribution: The attacker could inject malicious code to redirect users to websites containing malware.
- SEO Poisoning: Injecting hidden links for SEO manipulation.
Mitigation or Patch Steps
Unfortunately, there is currently no known patch or updated version of the plugin available as of this writing. Therefore, the recommended mitigation steps are:
- Immediately Deactivate and Remove the Plugin: The safest course of action is to completely remove the “Google Drive Upload and Download Link” plugin from your WordPress installation.
- Monitor User Activity: Keep a close eye on user activity for any suspicious behavior, such as unauthorized modifications to posts or pages.
- Implement a Web Application Firewall (WAF): A WAF can help detect and block malicious requests, including those attempting to exploit XSS vulnerabilities. Ensure your WAF rules are up-to-date.
- Consider Alternative Solutions: Explore other WordPress plugins that offer similar functionality for embedding Google Drive files, ensuring they are actively maintained and have a good security reputation.
