Description
The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability can be exploited by the lowest authentication level permitted to upload files, including unauthenticated users, once a file upload shortcode is published on a publicly accessible post.
Published: 2025-08-05
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Use‑your‑Drive plugin for WordPress is susceptible to a stored cross‑site scripting flaw. The vulnerability arises from the plugin’s failure to sanitize and escape the 'title' parameter in file metadata. An attacker can craft a malicious title containing executable JavaScript, which the plugin embeds directly into words generated by the plugin without proper filtering. When any user views the page containing the uploaded file, the injected script runs in that user’s browser, potentially stealing session cookies, defacing content, or redirecting the user to malicious sites. This flaw specifically maps to CWE‑79, representing an input that is not correctly validated or escaped.

Affected Systems

The flaw is present in the WP Cloud Plugins (deleeuw) Use‑your‑Drive | Google Drive plugin for WordPress versions up to and including 3.3.1. Users running these versions – regardless of the overall WordPress installation or hosting environment – are susceptible if they have the plugin installed and a file‑upload shortcode active on a publicly accessible post.

Risk and Exploitability

The CVSS score of 7.2 classifies the vulnerability as high severity, yet the EPSS score is less than 1%, indicating a low current probability of exploitation in the wild. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires only the ability to upload a file via the plugin’s shortcode, and the weakness can be leveraged by unauthenticated users if the upload interface is publicly exposed. As a result, the risk window exists for any environment that exposes the upload functionality to the public.

Generated by OpenCVE AI on April 20, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Use‑your‑Drive plugin to the latest released version (≥ 3.3.2) that resolves the XSS bug.
  • If an upgrade is not immediately possible, remove or restrict the plugin’s public file‑upload shortcode so that only authenticated administrators can upload files.
  • Configure a web application firewall or input‑validation plugin to escape the 'title' field of uploaded files, ensuring that any injected script is rendered harmless before display.

Generated by OpenCVE AI on April 20, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23610 The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability can be exploited by the lowest authentication level permitted to upload files, including unauthenticated users, once a file upload shortcode is published on a publicly accessible post.
History

Tue, 05 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcloudplugins
Wpcloudplugins use-your-drive
Vendors & Products Wordpress
Wordpress wordpress
Wpcloudplugins
Wpcloudplugins use-your-drive

Tue, 05 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 Aug 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability can be exploited by the lowest authentication level permitted to upload files, including unauthenticated users, once a file upload shortcode is published on a publicly accessible post.
Title Use-your-Drive | Google Drive plugin for WordPress <= 3.3.1- Unauthenticated Stored Cross-Site Scripting via File Metadata
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpcloudplugins Use-your-drive
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:13.487Z

Reserved: 2025-07-03T17:35:53.882Z

Link: CVE-2025-7050

cve-icon Vulnrichment

Updated: 2025-08-05T15:58:10.535Z

cve-icon NVD

Status : Deferred

Published: 2025-08-05T07:15:34.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses