File Manager for Google Drive WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure exists in the File Manager for Google Drive - Integrate Google Drive with WordPress plugin, in all versions through 1.5.3. The issue arises in the 'get_localize_data' function, where unauthenticated attackers can access sensitive data such as Google OAuth credentials (client_id and client_secret) and Google account email addresses.

Impact

Exploitation of this vulnerability allows unauthenticated users to access sensitive information, including Google OAuth credentials and email addresses associated with Google accounts.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the 'elementor-preview' parameter set, which triggers the 'get_localize_data' function. This can be done by accessing a page that uses the Elementor editor, or by manually adding the parameter to the URL of a page that the WordPress site.

Remediation

Users are advised to update the plugin to version 1.5.4 or later.