Integrate Google Drive CVE-2023-32117
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
DescriptionCVE.org
Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through <= 1.1.99.
AnalysisAI
Missing authorization in the Integrate Google Drive WordPress plugin (versions up to and including 1.1.99) lets unauthenticated remote attackers bypass access control checks to reach functionality that should be restricted. EPSS is exceptionally high at 88.16% (99th percentile), indicating strong exploitation likelihood, though no public exploit identified at time of analysis and the CVE is not on CISA KEV.
Technical ContextAI
The affected component is the 'Integrate Google Drive' WordPress plugin by princeahmed, which embeds Google Drive content and file management into WordPress sites and exposes plugin endpoints (typically AJAX/REST handlers) for these operations. The root cause is CWE-862 (Missing Authorization): one or more privileged actions are reachable without verifying that the caller is permitted to perform them - most commonly a missing capability check or nonce verification on an exposed handler. Because WordPress plugins frequently register hooks accessible to any visitor (e.g. wp_ajax_nopriv_* or unauthenticated REST routes), an Authorization gap in such a handler is directly reachable from the internet against any site running the vulnerable version.
Affected ProductsAI
The vulnerability affects the 'Integrate Google Drive' WordPress plugin (slug: integrate-google-drive) by princeahmed in all versions from initial release up to and including 1.1.99. No CPE was provided in the input data, and no vendor advisory URL was supplied - Patchstack typically publishes the canonical advisory at patchstack.com/database for the corresponding CVE ID. Site operators should confirm the installed plugin version via wp-admin → Plugins or by inspecting wp-content/plugins/integrate-google-drive/.
RemediationAI
Upgrade the Integrate Google Drive plugin to a version greater than 1.1.99 (the vendor's first patched release above this range, per the Patchstack advisory which should be consulted at patchstack.com for the exact fix version, since no specific fix version was independently confirmed in the input data). If immediate upgrade is not possible, deactivate and remove the plugin entirely from wp-content/plugins as a complete mitigation; partial mitigations include restricting access to /wp-admin/admin-ajax.php and the plugin's REST routes via a WAF or web server rules to authenticated IPs only (trade-off: this will break legitimate front-end Drive integrations for unauthenticated visitors). Monitor web server logs for unauthenticated POST requests to admin-ajax.php with action parameters referencing 'igd_' or 'integrate_google_drive' as potential indicators of probing.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today