The Google Drive upload and download link plugin for WordPress contains a stored cross‑site scripting flaw in the 'link' parameter of the 'atachfilegoogle' shortcode. The lack of proper input sanitization and output escaping allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into pages. When a user later views a page containing the injected content, the script executes in their browser, potentially leading to session hijacking, data theft, or defacement of the site. The CVSS score of 6.4 places the flaw in the medium severity range and the CWE-79 identifier confirms its nature.

All installations of the oscaruh Google Drive upload and download link WordPress plugin with a version number of 1.0 or earlier are affected. The vulnerability is tied to any WordPress site that utilizes this plugin and allows contributors or higher roles to submit or edit content containing the vulnerable shortcode.

The exploitation requires the attacker to be an authenticated contributor or higher, but does not need special network-level access. Once the script is stored, any visitor to the affected page will have the malicious code executed in their browser session. The EPSS score of less than 1 % suggests a low probability of exploitation at present, and the flaw is not listed in the CISA KEV catalog. However, because the impact involves arbitrary code execution in the context of site visitors, the risk is considered moderate and should not be ignored.