CVE-2025-6546: 
WordPress vulnerability analysis and mitigation

The Drive Folder Embedder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6546) that affects all versions up to and including 1.1.0. The vulnerability was discovered and disclosed on June 25, 2025. The plugin has been temporarily closed since June 24, 2025, pending a full security review (WordPress Plugin, NVD).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 Base Score of 6.4. The vulnerability stems from insufficient input sanitization and output escaping of the 'tablecssclass' parameter, which is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector requires authentication with Contributor-level access or higher (NVD, Wiz).

When successfully exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or theft of sensitive information (Wiz).

The plugin has been temporarily closed as of June 24, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).