CVE-2026-24540

Vulnerability

The Integrate Google Drive WordPress plugin (versions up to and including 1.5.6) suffers from a missing authorization vulnerability [1]. This is a classic broken access control issue means the plugin fails to properly verify that a user has the required permissions before allowing access to certain internal functions or data.

Exploitation

Exploitation

An attacker who is authenticated as a low-privileged user (e.g., subscriber) can exploit the missing access control checks to perform actions intended for administrators [1]. No special network position is required; the attack is carried out entirely through the WordPress admin interface or AJAX handlers exposed to any logged-in user [1]. Reference [1] characterizes this as a broken access control vulnerability often used in mass-exploit campaigns targeting thousands of sites regardless of size or popularity.

Impact

Successful exploitation enables the attacker to gain unauthorized access to Google Drive integration features, potentially viewing or manipulating connected files and configuration settings [1]. The CVSS base score of 5.4 (Medium) reflects the confidentiality and integrity impact to the application [1].

Mitigation

The vendor has not yet released a patched version; the latest affected release is 1.5.6 [1]. Until an update arrives, website administrators should disable the plugin deactivate or use a web application firewall to block unprivileged access to the plugin's endpoints [1].