A critical privilege escalation vulnerability was recently discovered in the Google’s Site Kit WordPress plugin that could allow attackers to gain full admin access to the Google Search Console implemented for a targeted site.
Site Kit is an official WordPress plugin by Google that allows WordPress admins to deploy, centrally manage, and get insights from critical Google tools such as Search Console, Analytics, AdSense, PageSpeed Insights, Tag manager and Optimize.
The plugin is currently being used by more than 400,000+ website admins and any of these websites could be easily hacked if their Site Kit plugin is not updated.
The vulnerable versions of the Google Site Kit WordPress plugin are lower than v1.8.0.
Threat intelligence team at Wordfence discovered this Google Search Console privilege access vulnerability by disclosing a bug in proxySetupURL within the HTML source code of admin pages.
proxySetupURL is a verification process through a proxy that establishes a connection between Site Kit plugin and Google Search Console via Google OAuth.
Besides, Wordfence discovered an another issue in the plugin where “the verification request used to verify a site’s ownership was a registered admin action that, again, did not have any capability checks. This allowed verification requests to come from any authenticated WordPress user, including those with minimal permissions”.
“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” said Wordfence.
There are many ways where an attacker could make use the Google Search Console by exploiting this vulnerability, such as:
- Manipulate search engine result pages through Blackhat SEO
- Inject Malicious content on site for monetization
- Modify Sitemaps
- Remove URLs and website links the from Google search engine result pages (SERPs)
- View competitive performance data and more
The Site Kit WordPress plugin users are advised to update their plugins to the latest version 1.8.0 to prevent any hacking attempts on their site.
Further, reset your plugin and check your inbox if you received a Google alert for your Search Console property or visit your Search Console account if any unknown owners have been added to your property.
According to the report published by WordPress, this privilege access vulnerability is considered a critical security issue with the CVSS score of 9.1.
“We filed a security issue report with Google on April 21, 2020. A patch was released a few weeks later on May 7, 2020,” says the report.
While the patch was released by Google within a week, at the time of writing this article, there are only 39.8 percent of Site Kit plugin users who have updated the plugin to its latest version 1.8.0 (as shown in above image).