CVE-2025-26574

Vulnerability

Analysis

The Google Drive WP Media plugin for WordPress, versions 2.4.4 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw arises when the plugin fails to sanitize or escape input before storing it and later displaying it on a page, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

Requirements

Exploitation requires a privileged user (such as an administrator) to interact with a crafted page or link, but once the payload is stored, the injected script executes automatically for any visitor viewing the affected content [1]. The attack vector is network-based, with low complexity and high scope change (CVSS 6.5) [1].

Impact

A successful attack can lead to the execution of malicious scripts in the browsers of site visitors, enabling actions like redirecting users to phishing sites, injecting unwanted advertisements, or stealing session cookies [1]. This stored XSS can be leveraged in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patch; the affected version remains ≤2.4.4 [1]. As an immediate action, users should update the plugin if a patched version becomes available or disable the plugin until remediation is complete [1]. Hosting providers or web developers may assist with temporary workarounds such as input sanitization rules [1].