Continuing the list of plugins risking WordPress websites, now joins Site Kit by Google. This Google WordPress plugin had a bug that allowed attackers to access the website’s Search Console.
Google WordPress Plugin Bug
Team Wordfence has found a critical security bug with a CVSS score of 9.1 in the official Google plugin for WordPress. According to their blog post, they found that the flaw in Site Kit by Google exposed the website’s Search Console.
Site Kit by Google is a dedicated plugin for WordPress allowing the admins to see how the site performs. Besides showing the stats, the plugin also facilitates the quick setup of Google tools. Presently, the plugin boasts more than 400,000 active installations.
Briefly, the bug existed due to a lack of capability check on the admin_enqueue_scripts action. This exposed the proxySetupURL via the HTML source code of admin pages to authorized users with any privileges.
Moreover, there also existed a similar lacking while handling verification requests from incoming users. This allowed any authenticated user to send verification requests regardless of admin privileges.
Consequently, an adversary with authenticated user access to the /wp-admin dashboard could gain owner access to the website’s Search Console.
Regarding the potential threats associated with the exploitation of this bug, the researchers stated,
Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.
The following video demonstrates the PoC of the exploit.
Patch Released – Update Site Kit by Google
Wordfence discovered the vulnerability in the plugin in late April 2020. Following the discovery, they reached out to Google via their Vulnerability Reward Program (VRP).
Then, it took a few days for Google to address the flaw. Yet, they eventually released the patch with plugin version 1.8.0.
Hence, all WordPress admins using the Site Kit by Google plugin must ensure updating their sites to the latest plugin version 1.8.0.
Moreover, the researchers also advise resetting the plugin’s connection with the site, as well as to remove any unwanted Search Console users.
Let us know your thoughts in the comments.