A vulnerability has been found in Google’s Site Kit WordPress plugin, but has been patched. The vulnerability allowed attackers to escalate site privileges and attack a victims search visibility, alter site maps, among other things.
Google Site Kit displays information about your site within the WordPress Admin dashboard. It aggregates information from Google Search Console (GSC), Google Analytics, AdSense, Page Speed Insights as well as other Google tools.
WordFence Researchers (@wordfence) found the vulnerability and notified Google. Once that happened, an announcement was made after the plugin was updated.
According to the announcement:
“This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console.
Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.”
This particular vulnerability is a Privilege Escalation exploit. This type of exploit requires an attacker to be registered on the WordPress site in order to take advantage of a security hole. They could be as low as a subscriber to get the exploit to work.
A subscriber level user normally has minimal privileges on a website. But with this vulnerability, an attacker can gain admin level site privileges, allowing them to escalate their site access privileges.
Chloe Chamberland of WordFence was the one who discovered the vulnerability (which was first found on April 21), who then reported it to Google on the same day. On May 7, Google issued a patch.
According to WordFence vulnerability researcher Chloe Chamberland:
“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important.
When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end users.
As the space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all. “
Any subscriber of the WordFence Premium security plugin would have been protected from the exploit on the day it was initially discovered.
The exploit affected Google Site Kit versions that are lower than version 1.8.0.
It is strongly suggested that users update their plugins immediately.