CVE-2025-12139 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the WordPress plugin 'File Manager for Google Drive – Integrate Google Drive' developed by princeahmed. The flaw exists in all versions up to and including 1.5.3 within the 'get_localize_data' function. This function improperly exposes sensitive data without authentication, allowing remote attackers to retrieve Google OAuth credentials, including client_id and client_secret, as well as Google account email addresses. These credentials are critical for OAuth authentication flows and can be abused to impersonate the legitimate application, access user data, or escalate privileges. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting a high severity due to its network attack vector, lack of required privileges or user interaction, and high confidentiality impact. The plugin is widely used to integrate Google Drive with WordPress sites, making many websites potentially vulnerable. No patches or fixes are currently linked, and no exploits have been observed in the wild, but the risk remains significant due to the sensitive nature of the leaked information and the ease of exploitation.

The primary impact of CVE-2025-12139 is the unauthorized disclosure of sensitive OAuth credentials and Google account email addresses. Attackers gaining access to these credentials can potentially perform unauthorized API calls to Google Drive, access or exfiltrate sensitive files, or impersonate the affected application to launch further attacks. This compromises the confidentiality of user data stored in Google Drive linked to the vulnerable WordPress sites. Additionally, leaked client secrets can be used to craft malicious OAuth tokens, leading to broader account compromise or privilege escalation. Organizations using this plugin risk data breaches, loss of customer trust, and potential regulatory penalties related to data protection laws. The vulnerability does not directly affect integrity or availability but can indirectly lead to further attacks that do. The ease of exploitation without authentication increases the threat level, especially for public-facing WordPress sites.

To mitigate CVE-2025-12139, organizations should immediately update the 'File Manager for Google Drive – Integrate Google Drive' plugin to a patched version once available. In the absence of an official patch, temporarily disabling or uninstalling the plugin is recommended to prevent exploitation. Review and rotate Google OAuth credentials (client_id and client_secret) associated with the plugin to invalidate any potentially compromised secrets. Implement strict access controls and monitoring on Google Cloud Console to detect unusual API activity. Employ Web Application Firewalls (WAFs) to block suspicious requests targeting the 'get_localize_data' function or related endpoints. Additionally, audit WordPress site permissions and ensure minimal plugin usage to reduce attack surface. Regularly monitor security advisories from the plugin vendor and WordPress security communities for updates. Finally, educate site administrators about the risks of exposing OAuth credentials and best practices for secure plugin management.