CVE-2025-12666

The vulnerability is a stored cross-site scripting (XSS) flaw in the Google Drive upload and download link plugin for WordPress, affecting all versions up to and including 1.0. The issue resides in the 'link' parameter of the 'atachfilegoogle' shortcode, where insufficient input sanitization and output escaping allow attackers to inject arbitrary web scripts [1].

Exploitation requires authentication with at least Contributor-level access. An attacker can craft a malicious link parameter that, when processed by the shortcode, stores the payload in the WordPress database. The injected script executes whenever a user views the compromised page, such as a post or page containing the shortcode [1].

The impact is that any user visiting the affected page will have the attacker's script run in their browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. Since the plugin is closed as of November 25, 2025, due to this security issue, no official patch is available [1].

Users are advised to remove or replace the plugin immediately, as it is no longer supported and remains vulnerable. No workaround is provided [1].