{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12139", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T23:16:11.555Z", "datePublished": "2025-11-05T06:35:00.585Z", "dateUpdated": "2026-04-08T16:56:36.940Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:36.940Z"}, "affected": [{"vendor": "princeahmed", "product": "File Manager for Google Drive \u2013 Integrate Google Drive", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The File Manager for Google Drive \u2013 Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the \"get_localize_data\" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses."}], "title": "File Manager for Google Drive \u2013 Integrate Google Drive with WordPress <= 1.5.3 - Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/607073ad-3a4a-4a21-af0f-3ade81382605?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L232"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L243"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387825/integrate-google-drive"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "timeline": [{"time": "2025-10-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-24T17:24:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-04T17:38:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:35:26.115364Z", "id": "CVE-2025-12139", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:35:34.262Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T14:35:26.115364Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:35:31.427Z"}}], "cna": {"title": "File Manager for Google Drive \u2013 Integrate Google Drive with WordPress <= 1.5.3 - Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "ifoundbug"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "princeahmed", "product": "File Manager for Google Drive \u2013 Integrate Google Drive", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-24T17:24:20.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-04T17:38:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/607073ad-3a4a-4a21-af0f-3ade81382605?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L88"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L232"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L243"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387825/integrate-google-drive"}], "descriptions": [{"lang": "en", "value": "The File Manager for Google Drive \u2013 Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the \"get_localize_data\" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:36.940Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12139", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:36.940Z", "dateReserved": "2025-10-23T23:16:11.555Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T06:35:00.585Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The File Manager for Google Drive \u2013 Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the \"get_localize_data\" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses."}], "id": "CVE-2025-12139", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T07:15:32.340", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L232"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L243"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L88"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3387825/integrate-google-drive"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/607073ad-3a4a-4a21-af0f-3ade81382605?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:46:11.435477+00:00", "value": {"mitigation_remediation": ["Update the plugin to the latest released version (greater than 1.5.3) where the get_localize_data function is fixed.", "If an update cannot be applied immediately, delete or disable the plugin to prevent unauthenticated access to the vulnerable code.", "Remove any hard\u2011coded Google OAuth client_id and client_secret from WordPress configuration files and ensure they are stored securely or regenerated if needed."], "summary": {"action": "Update Plugin", "impact": "Sensitive Information Exposure through Credential Leak"}, "threat_synthesis": {"affected_systems": "WordPress sites using the File Manager for Google Drive \u2013 Integrate Google Drive plugin, version 1.5.3 or earlier. The affected component is the get_localize_data function within class\u2011enqueue.php. Sites running newer releases are not impacted.", "description_and_impact": "The vulnerability is a sensitive information exposure flaw that allows unauthenticated attackers to retrieve Google OAuth credentials, specifically client_id and client_secret, as well as account email addresses from the plugin\u2019s configuration. The weakness, class\u2011enqueue.php\u2019s get_localize_data function, exposes critical authentication details that enable an attacker to impersonate the site\u2019s Google account or manipulate API calls on behalf of the site owner. The impact is limited to confidentiality loss of credentials and related data; it does not provide remote code execution or privilege escalation within the WordPress installation.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and a 16% EPSS score signals a non\u2011negligible exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, but the combination of an unauthenticated vector and exposed credentials makes it attractive to attackers. Successful exploitation would give an attacker access to Google OAuth tokens, enabling them to act as the site\u2019s Google Drive user and potentially perform further malicious actions against the Google account or the site\u2019s files."}}}}, "created": "2025-11-06T10:07:25.677049+00:00", "updated": "2026-04-22T12:00:05.918765+00:00", "vendors": ["princeahmed", "princeahmed$PRODUCT$file_manager_for_google_drive", "wordpress", "wordpress$PRODUCT$wordpress"]}