CVE-2025-6546 in Drive Folder Embedder Plugininfo

Summary

by MITRE • 06/26/2025

The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tablecssclass’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2025

The Drive Folder Embedder plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-6546 affecting all versions up to and including 1.1.0. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the 'tablecssclass' parameter. The flaw allows authenticated attackers who possess Contributor-level privileges or higher to inject malicious JavaScript code into the plugin's configuration parameters, which then gets stored and executed whenever affected pages are accessed by other users. The vulnerability operates at the intersection of input validation and output encoding failures, creating a persistent security risk that can affect any user who views pages containing the injected malicious content. This represents a significant concern for WordPress environments where multiple users have contributor access or higher permissions, as it provides attackers with a means to escalate their privileges and potentially compromise entire sites through persistent script injection attacks.

The technical exploitation of this vulnerability follows a well-established pattern of stored XSS attacks where malicious input is first accepted and stored by the application without proper sanitization, then later retrieved and rendered in web pages without adequate output escaping. The 'tablecssclass' parameter serves as the attack vector, allowing attackers to inject JavaScript code that executes in the context of other users' browsers when they access pages that contain the maliciously modified plugin configuration. This vulnerability directly maps to CWE-79 which defines Cross-Site Scripting as a weakness where untrusted data is sent to a web browser without proper validation or escaping. The impact is amplified by the fact that contributors typically have the ability to modify content and settings, making this a particularly dangerous vulnerability for WordPress installations where contributor accounts may be compromised or where users with such privileges are not properly monitored. The stored nature of this vulnerability means that the injected scripts persist indefinitely until manually removed, creating a long-term threat that can be leveraged for various malicious activities including session hijacking, credential theft, or redirection to malicious sites.

The operational impact of CVE-2025-6546 extends beyond simple script execution, potentially enabling attackers to perform a range of malicious activities that can compromise entire WordPress installations. An attacker with contributor-level access can inject scripts that steal user sessions, redirect visitors to phishing sites, or modify content in ways that can damage the site's reputation and functionality. The vulnerability also creates opportunities for attackers to establish persistent backdoors within the WordPress environment, as the injected scripts can be designed to maintain access even after initial exploitation. This threat is particularly concerning in multi-user environments where contributors may have access to sensitive data or where the contributor role is granted to users who may not fully understand the security implications of their actions. The vulnerability's classification under the ATT&CK framework would align with techniques such as T1059.007 for Scripting and T1566 for Phishing, as the stored XSS can be used to create phishing campaigns or to establish command and control channels. Organizations running affected versions of the Drive Folder Embedder plugin face significant risk of data breaches, content tampering, and potential compromise of their entire WordPress ecosystem.

Mitigation strategies for CVE-2025-6546 should prioritize immediate plugin updates to versions that address the stored XSS vulnerability through proper input sanitization and output escaping. System administrators should implement strict access controls to limit contributor privileges where possible, ensuring that only trusted users have the ability to modify plugin settings. The implementation of Content Security Policy headers can provide additional protection against script execution, though this should not be considered a complete solution given that the vulnerability lies in the application's core input handling. Regular security audits of WordPress installations should include checks for outdated plugins and themes that may contain similar vulnerabilities, with particular attention to plugins that handle user-provided configuration parameters. Network monitoring solutions should be configured to detect unusual patterns of script injection or unauthorized configuration changes. Organizations should also consider implementing web application firewalls that can detect and block known XSS attack patterns targeting WordPress plugins. The vulnerability highlights the importance of regular security patching and proper input validation practices, as recommended by security frameworks such as the OWASP Top Ten and NIST cybersecurity guidelines. Additionally, user education regarding the risks of granting elevated privileges and the importance of monitoring plugin configurations can help reduce the attack surface for such vulnerabilities.

Reservation

06/23/2025

Disclosure

06/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00165

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!