The vulnerability is a sensitive information exposure flaw that allows unauthenticated attackers to retrieve Google OAuth credentials, specifically client_id and client_secret, as well as account email addresses from the plugin’s configuration. The weakness, class‑enqueue.php’s get_localize_data function, exposes critical authentication details that enable an attacker to impersonate the site’s Google account or manipulate API calls on behalf of the site owner. The impact is limited to confidentiality loss of credentials and related data; it does not provide remote code execution or privilege escalation within the WordPress installation.

WordPress sites using the File Manager for Google Drive – Integrate Google Drive plugin, version 1.5.3 or earlier. The affected component is the get_localize_data function within class‑enqueue.php. Sites running newer releases are not impacted.

The CVSS score of 7.5 indicates high severity, and a 2% EPSS score indicates a low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, but the combination of an unauthenticated vector and exposed credentials makes it attractive to attackers. Successful exploitation would give an attacker access to Google OAuth tokens, enabling them to act and potentially perform further malicious actions against the Google account or the site’s files.