A vulnerability was discovered in Google’s Site Kit WordPress plugin and subsequently patched.
The vulnerability allows an attacker to escalate site privileges and attack a victims search visibility, alter site maps and more.
Google Site Kit WordPress Plugin
The vulnerability affects Site Kit by Google. Google Site Kit is a Google WordPress.
Google Site Kit displays information about your site within the WordPress Admin dashboard. It aggregates information from Google Search Console (GSC), Google Analytics, AdSense, Page Speed Insights and other Google tools.
Researchers at WordFence (@wordfence) discovered the vulnerability, notified Google then published an announcement after the plugin was updated.
According to the announcement:
“This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console.
Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.”
Privilege Escalation Vulnerability
The vulnerability affecting Google Site Kit is a Privilege Escalation exploit. This kind of exploit requires that an attacker to be registered on the WordPress site (for example, as a subscriber) in order to take advantage of a security hole.
Ordinarily a registered user at the subscriber level has minimal privileges on a website. The vulnerability however allows an attacker to gain admin level site privileges, to escalate their site access privileges.
The vulnerability was discovered by WordFence security researcher Chloe Chamberland on April 21, 2020 and reported to Google on the same day. A patch was issued by Google on May 7, 2020
According to WordFence vulnerability researcher Chloe Chamberland:
“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important.
When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end users.
As the space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all. “
Subscribers to the WordFence Premium security plugin would have been protected from this exploit on the same day that it was discovered, weeks before the patch was issued by Google.
Google Site Kit Versions Affected
This vulnerability affects Google Site Kit versions that are lower than version 1.8.0.
Google Site Kit 1.8.0 has been fully patched. It is strongly recommended that users update their plugin immediately.
Google’s Site Kit WordPress plugin changelog clearly states that version 1.8.0 has a security update and it strongly recommends users update.
Read the official announcement:
Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access