CVE-2025-12666 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the oscaruh Google Drive upload and download link plugin for WordPress. This vulnerability affects all versions up to and including 1.0. The root cause is insufficient sanitization and escaping of user-supplied input in the 'link' parameter of the 'atachfilegoogle' shortcode, which is used to embed Google Drive upload and download links within WordPress pages. An attacker with authenticated Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'link' parameter. Because the malicious script is stored on the server and rendered whenever a user accesses the affected page, it can execute in the context of the victim’s browser session. This can lead to theft of session cookies, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based (remote), with low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change affecting confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on November 27, 2025, and assigned by Wordfence. Given the widespread use of WordPress and the popularity of Google Drive integration plugins, this vulnerability poses a tangible risk to websites using this specific plugin version.

The impact of CVE-2025-12666 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an authenticated attacker with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users who visit the compromised pages. This can lead to session hijacking, credential theft, unauthorized actions performed with the victim’s privileges, and potential spread of malware or phishing attacks. While availability is not directly affected, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin for Google Drive integration risk compromise of user accounts and sensitive data, especially if administrators or editors access the infected pages. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor-level accounts are common in multi-user WordPress environments. The medium CVSS score reflects moderate severity but should not lead to complacency given the potential for lateral movement and privilege escalation within compromised sites.

To mitigate CVE-2025-12666, organizations should first verify if they use the oscaruh Google Drive upload and download link plugin and identify affected versions (all versions up to 1.0). Since no official patch links are currently available, immediate mitigation steps include: 1) Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads in the 'link' parameter, focusing on common XSS attack patterns. 3) Conduct manual code review or apply custom input sanitization and output escaping for the 'link' parameter within the plugin code if feasible. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate site administrators and editors about the risks of XSS and safe content management practices. 6) Regularly backup website data to enable recovery in case of compromise. 7) Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 8) Consider temporarily disabling or replacing the plugin with a more secure alternative if mitigation is not possible. These steps go beyond generic advice by focusing on privilege management, WAF tuning, and proactive monitoring tailored to this vulnerability’s characteristics.