Researchers discovered a critical vulnerability in Google’s official WordPress plugin “Site Kit by Google that simply allows any verified user, in spite of competence, to become the Google Search Console owner for any website running the vulnerable version of Site Kit by Google plugin.
We all know that WordPress is one the leading platform for publishing websites and content on the internet. As it is a very complete modular CMS solution that is constantly evolving, and for all its developments, we should thank the vast community behind it.
The “Site Kit by Google” plugin is currently installed on over 300,000 websites. The Wordfence Threat Intelligence team reported Google about this security flaw on April 21, 2020, and two weeks later, on May 7, the tech giant Google published an update for the “Site Kit by Google” plugin that fixed the security flaw, so, make sure to update to your plugin to the version 1.8.0 or higher.
Vulnerability in Site Kit by Google
This vulnerability allows any user who has authenticated themselves on the website, regardless of their role in it, to access and take command of the Google Search Console.
In this way, the attacker could carry out unwanted operations like modifying sitemaps, making certain entries not show on Google search results (SERPs), or even putting the entire site at the service of Black Hat SEO campaigns to promote deficient contents.
- Description: Google Search Console Privilege Escalation
- Affected Plugin: Site Kit by Google
- Plugin Slug: google-site-kit
- Affected Versions: <= 1.7.1
- CVE ID: Will be updated once the identifier is supplied.
- CVSS Score: 9.1 (Critical)
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
- Fully Patched Version: 1.8.0
The Site Kit by Google plugin allows you to obtain and display data from Google Search Console account, Analytics, AdSense, PageSpeed Insights, Optimize, and Tag Manager. Moreover, the plugin generates a proxySetupURL to form the connection with Site Kit for the first time, through which it redirects the site’s owner to Google OAuth and initiate the site owner verification process via a proxy.
Security researchers have disclosed, there are two security flaws, that allowed the subscriber-level users to get direct access to the Google Search Console and become the owners. And here are they:-
- proxySetupURL Disclosure
- Unprotected Verification
Remove unwanted owners
- First, you have to log into your Google Search Console.
- Then you have to go to ‘Settings’, as here you will find “Users and Permissions.”
- Now you will get a screen that we mentioned below, where you have to click on “Users and Permissions.”
- After that, ‘review the users listed’ and then click on three dots next to the ‘site owner’ that you want to remove.
- Now you are done.
In case, if you want to see the full log of verification requests to discover when new owners were added so that you can “Unverify” all the unknown owners, follow the steps that we have mentioned below:-
- First, you have to click on “Manage property Owners.”
- Then you have to click on “Unverify” option to disable the unwanted owner and revoke the access.
- That’s it.
Since the patch was released, on May 7, almost 200,000 website owners have already updated their Site Kit plugin. But, here the most shocking thing is that, still, there are more than 100,000 websites that are exposed to this vulnerability.
The attacker who will have unauthorized access to the Google Search Console will be able to damage the site’s reputation, ranking, bad impact on earnings, and the visibility in Google search results. In short, to protect your site and its data, immediately you have to update the Site Kit by Google plugin now.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.