Researchers discovered a critical vulnerability in Google’s official WordPress plugin “Site Kit by Google that simply allows any verified user, in spite of competence, to become the Google Search Console owner for any website running the vulnerable version of Site Kit by Google plugin.
We all know that WordPress is one the leading platform for publishing websites and content on the internet. As it is a very complete modular CMS solution that is constantly evolving, and for all its developments, we should thank the vast community behind it.
The “Site Kit by Google” plugin is currently installed on over 300,000 websites. The Wordfence Threat Intelligence team reported Google about this security flaw on April 21, 2020, and two weeks later, on May 7, the tech giant Google published an update for the “Site Kit by Google” plugin that fixed the security flaw, so, make sure to update to your plugin to the version 1.8.0 or higher.
This vulnerability allows any user who has authenticated themselves on the website, regardless of their role in it, to access and take command of the Google Search Console.
In this way, the attacker could carry out unwanted operations like modifying sitemaps, making certain entries not show on Google search results (SERPs), or even putting the entire site at the service of Black Hat SEO campaigns to promote deficient contents.
The Site Kit by Google plugin allows you to obtain and display data from Google Search Console account, Analytics, AdSense, PageSpeed Insights, Optimize, and Tag Manager. Moreover, the plugin generates a proxySetupURL to form the connection with Site Kit for the first time, through which it redirects the site’s owner to Google OAuth and initiate the site owner verification process via a proxy.
Security researchers have disclosed, there are two security flaws, that allowed the subscriber-level users to get direct access to the Google Search Console and become the owners. And here are they:-
In case, if you want to see the full log of verification requests to discover when new owners were added so that you can “Unverify” all the unknown owners, follow the steps that we have mentioned below:-
Since the patch was released, on May 7, almost 200,000 website owners have already updated their Site Kit plugin. But, here the most shocking thing is that, still, there are more than 100,000 websites that are exposed to this vulnerability.
The attacker who will have unauthorized access to the Google Search Console will be able to damage the site’s reputation, ranking, bad impact on earnings, and the visibility in Google search results. In short, to protect your site and its data, immediately you have to update the Site Kit by Google plugin now.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
10 Best Free Web Application Penetration Testing Tools 2020
vBulletin Forum Software Silently Fixed Unrevealed Critical Vulnerability – Update Now!!
Critical Bugs In Two WordPress Plugin Let Hackers Gain Access To 1 Million Sites
Microsoft has launched Researcher with Computer Use in Microsoft 365 Copilot, marking a significant advancement…
A new wave of cyber threats is emerging as criminals increasingly weaponize AdaptixC2, a free…
Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target…
Threat actors operating under the control of North Korea's regime have demonstrated continued technical sophistication…
Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations…
AzureHound, an open-source data collection tool designed for legitimate penetration testing and security research, has…