Skip to main content

Integrate Google Drive CVE-2023-32117

CRITICAL
Missing Authorization (CWE-862)
2024-12-09 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through <= 1.1.99.

AnalysisAI

Missing authorization in the Integrate Google Drive WordPress plugin (versions up to and including 1.1.99) lets unauthenticated remote attackers bypass access control checks to reach functionality that should be restricted. EPSS is exceptionally high at 88.16% (99th percentile), indicating strong exploitation likelihood, though no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Technical ContextAI

The affected component is the 'Integrate Google Drive' WordPress plugin by princeahmed, which embeds Google Drive content and file management into WordPress sites and exposes plugin endpoints (typically AJAX/REST handlers) for these operations. The root cause is CWE-862 (Missing Authorization): one or more privileged actions are reachable without verifying that the caller is permitted to perform them - most commonly a missing capability check or nonce verification on an exposed handler. Because WordPress plugins frequently register hooks accessible to any visitor (e.g. wp_ajax_nopriv_* or unauthenticated REST routes), an Authorization gap in such a handler is directly reachable from the internet against any site running the vulnerable version.

Affected ProductsAI

The vulnerability affects the 'Integrate Google Drive' WordPress plugin (slug: integrate-google-drive) by princeahmed in all versions from initial release up to and including 1.1.99. No CPE was provided in the input data, and no vendor advisory URL was supplied - Patchstack typically publishes the canonical advisory at patchstack.com/database for the corresponding CVE ID. Site operators should confirm the installed plugin version via wp-admin → Plugins or by inspecting wp-content/plugins/integrate-google-drive/.

RemediationAI

Upgrade the Integrate Google Drive plugin to a version greater than 1.1.99 (the vendor's first patched release above this range, per the Patchstack advisory which should be consulted at patchstack.com for the exact fix version, since no specific fix version was independently confirmed in the input data). If immediate upgrade is not possible, deactivate and remove the plugin entirely from wp-content/plugins as a complete mitigation; partial mitigations include restricting access to /wp-admin/admin-ajax.php and the plugin's REST routes via a WAF or web server rules to authenticated IPs only (trade-off: this will break legitimate front-end Drive integrations for unauthenticated visitors). Monitor web server logs for unauthenticated POST requests to admin-ajax.php with action parameters referencing 'igd_' or 'integrate_google_drive' as potential indicators of probing.

Share

CVE-2023-32117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy