Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moch Amir Google Drive WP Media google-drive-wp-media allows Stored XSS.This issue affects Google Drive WP Media: from n/a through <= 2.4.4.
Published: 2025-02-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Google Drive WP Media plugin contains an Improper Neutralization of Input during Web Page Generation flaw that enables stored XSS. The vulnerability is present in all releases up to and including version 2.4.4, allowing attackers to inject malicious scripts that execute in the browser context of any user who views the affected content. This can lead to credential theft, defacement, or further session hijacking.

Affected Systems

Affected systems are installations of Moch Amir’s Google Drive WP Media plugin for WordPress, any version from the beginning of its availability through 2.4.4. The plugin integrates with the WordPress admin interface, so sites running these versions are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of < 1% shows a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw by submitting crafted content to the plugin’s stored fields, which are later rendered without proper escaping, causing the script to run in the context of site visitors. Preventive mitigation is therefore recommended.

Generated by OpenCVE AI on May 2, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Google Drive WP Media plugin to version 2.4.5 or newer.
  • If upgrading is not immediately feasible, temporarily disable or delete the plugin to prevent vulnerable code from executing.
  • As a fallback, implement server‑side sanitization (e.g., strip or encode script tags) on content submitted to the plugin before rendering, ensuring no malicious scripts are stored.

Generated by OpenCVE AI on May 2, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4229 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moch Amir Google Drive WP Media google-drive-wp-media allows Stored XSS.This issue affects Google Drive WP Media: from n/a through <= 2.4.4.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00034}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0007}

 epss

{'score': 0.00031}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4.
Title WordPress Google Drive WP Media plugin <= 2.4.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:31:46.707Z

Reserved: 2025-02-12T13:58:55.638Z

Link: CVE-2025-26574

cve-icon Vulnrichment

Updated: 2025-02-13T14:33:29.013Z

cve-icon NVD

Status : Deferred

Published: 2025-02-13T14:16:23.653

Modified: 2026-06-17T09:02:02.990

Link: CVE-2025-26574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')