Google WordPress Plugin Bug Allowed Access To Google Search Console

Continuing the list of plugins risking WordPress websites, now joins Site Kit by Google. This Google WordPress plugin had a bug that allowed attackers to access the website’s Search Console.

Google WordPress Plugin Bug

Team Wordfence has found a critical security bug with a CVSS score of 9.1 in the official Google plugin for WordPress. According to their blog post, they found that the flaw in Site Kit by Google exposed the website’s Search Console.

Site Kit by Google is a dedicated plugin for WordPress allowing the admins to see how the site performs. Besides showing the stats, the plugin also facilitates the quick setup of Google tools. Presently, the plugin boasts more than 400,000 active installations.

Briefly, the bug existed due to a lack of capability check on the admin_enqueue_scripts action. This exposed the proxySetupURL via the HTML source code of admin pages to authorized users with any privileges.

Moreover, there also existed a similar lacking while handling verification requests from incoming users. This allowed any authenticated user to send verification requests regardless of admin privileges.

Consequently, an adversary with authenticated user access to the /wp-admin dashboard could gain owner access to the website’s Search Console.

Regarding the potential threats associated with the exploitation of this bug, the researchers stated,

Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

The following video demonstrates the PoC of the exploit.

Patch Released – Update Site Kit by Google

Wordfence discovered the vulnerability in the plugin in late April 2020. Following the discovery, they reached out to Google via their Vulnerability Reward Program (VRP).

Then, it took a few days for Google to address the flaw. Yet, they eventually released the patch with plugin version 1.8.0.

Hence, all WordPress admins using the Site Kit by Google plugin must ensure updating their sites to the latest plugin version 1.8.0.

Moreover, the researchers also advise resetting the plugin’s connection with the site, as well as to remove any unwanted Search Console users.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Related