CVE-2025-12666 is a stored Cross-Site Scripting (XSS) vulnerability identified in the oscaruh Google Drive upload and download link plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation, specifically via the 'link' parameter in the 'atachfilegoogle' shortcode. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code that is stored persistently within the WordPress site content. When other users access the compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, indicating a failure to properly sanitize and escape user-supplied input before rendering it in web pages. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk in multi-user WordPress environments where contributors can add content, especially in organizations relying on this plugin for Google Drive integration.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, compromising user sessions and potentially exposing sensitive data. Since the attack requires Contributor-level access, insider threats or compromised contributor accounts could be leveraged to inject malicious payloads. The persistent nature of stored XSS means that once injected, the malicious code can affect all users accessing the infected pages, including administrators and site visitors. This can result in data theft, defacement, or further exploitation such as phishing or spreading malware. Organizations using this plugin for document sharing or collaboration may face reputational damage and regulatory scrutiny under GDPR if personal data is exposed. The medium severity score indicates a moderate but tangible risk, especially for sectors with high reliance on WordPress-based content management and collaboration tools. The lack of known exploits in the wild suggests an opportunity for proactive mitigation before widespread attacks occur.

1. Immediately restrict Contributor-level access to trusted users only and review existing contributor accounts for suspicious activity. 2. Monitor and audit content submitted via the 'atachfilegoogle' shortcode for any suspicious or unexpected input. 3. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'link' parameter of this plugin. 4. Apply strict input validation and output encoding on the 'link' parameter within the plugin code if custom fixes are feasible before official patches are released. 5. Keep WordPress core and all plugins updated; monitor the vendor's announcements for patches addressing this vulnerability. 6. Educate content contributors about the risks of injecting untrusted content and enforce security best practices. 7. Conduct regular security scans and penetration tests focusing on XSS vulnerabilities in WordPress environments. 8. Consider temporarily disabling or replacing the vulnerable plugin with alternative solutions until a patch is available.