CVE-2025-27016: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Drivr Lite – Google Drive Plugin for WordPress, affecting versions up to and including 1.0.1. The vulnerability was identified on February 15, 2025, and publicly disclosed on February 18, 2025. This security issue, tracked as CVE-2025-27016, allows authenticated users with Contributor-level access or higher to perform stored XSS attacks (Patchstack, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's code. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Patchstack).

The vulnerability allows malicious actors to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected content. This could enable attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which will be executed when visitors access the affected pages (WPScan).

Currently, there is no official fix available for this vulnerability. Given the low severity impact and the requirement for authenticated access, the vulnerability is considered unlikely to be exploited. Website administrators should consider implementing additional access controls and monitoring for suspicious activities (Patchstack).