A vulnerability was found in Google’s Site Kit WordPress plugin and subsequently patched.
The vulnerability permits an attacker to escalate web site privileges and assault a victims search visibility, alter web site maps and extra.
Google Site Kit WordPress Plugin
The vulnerability impacts Site Kit by Google. Google Site Kit is a Google WordPress.
Google Site Kit shows details about your web site throughout the WordPress Admin dashboard. It aggregates data from Google Search Console (GSC), Google Analytics, AdSense, Page Speed Insights and different Google instruments.
Researchers at WordFence (@wordfence) found the vulnerability, notified Google then revealed an announcement after the plugin was up to date.
According to the announcement:
“This is taken into account a important safety challenge that might result in attackers acquiring proprietor entry to your web site in Google Search Console.
Owner entry permits an attacker to change sitemaps, take away pages from Google search engine outcome pages (SERPs), or to facilitate black hat search engine optimisation campaigns.”
Privilege Escalation Vulnerability
The vulnerability affecting Google Site Kit is a Privilege Escalation exploit. This sort of exploit requires that an attacker to be registered on the WordPress web site (for instance, as a subscriber) with a view to benefit from a safety gap.
Ordinarily a registered person on the subscriber stage has minimal privileges on a web site. The vulnerability nevertheless permits an attacker to realize admin stage web site privileges, to escalate their web site entry privileges.
The vulnerability was found by WordFence safety researcher Chloe Chamberland on April 21, 2020 and reported to Google on the identical day. A patch was issued by Google on May 7, 2020
According to WordFence vulnerability researcher Chloe Chamberland:
“Connecting two methods, like a WordPress web site and Google’s web site possession instruments, at all times comes with some extent of danger. Ensuring the mixing between each methods is secured is critically vital.
When corporations like Google have an easy-to-find vulnerability disclosure coverage in place, it helps researchers get fixes out shortly to finish customers.
As the area matures, we’re seeing extra builders publishing clear Vulnerability Disclosure Policies, however extra must be accomplished to make sure that safety researchers and builders can shortly join and make the online safer for us all. “
Subscribers to the WordFence Premium safety plugin would have been shielded from this exploit on the identical day that it was found, weeks earlier than the patch was issued by Google.
CONTINUE READING BELOW
Google Site Kit Versions Affected
This vulnerability impacts Google Site Kit variations which might be decrease than model 1.eight.zero.
Google Site Kit 1.eight.zero has been absolutely patched. It is strongly advisable that customers replace their plugin instantly.
Google’s Site Kit WordPress plugin changelog clearly states that model 1.eight.zero has a safety replace and it strongly recommends customers replace.
Read the official announcement:
Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access