Google Site Kit WordPress Plugin Vulnerability via @martinibuster - Website Pro USA
Website Builder,SEO,Social Media Consultant, Hosting, Website Care Plans
43545
post-template-default,single,single-post,postid-43545,single-format-standard,theme-bridge,woocommerce-no-js,ajax_updown,page_not_loaded,,qode-content-sidebar-responsive,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-9.2,hide_inital_sticky,wpb-js-composer js-comp-ver-7.9,vc_responsive

Google Site Kit WordPress Plugin Vulnerability via @martinibuster

Google Site Kit WordPress Plugin Vulnerability via @martinibuster

A vulnerability was discovered in Google’s Site Kit WordPress plugin and subsequently patched.

The vulnerability allows an attacker to escalate site privileges and attack a victims search visibility, alter site maps and more.

Google Site Kit WordPress Plugin

The vulnerability affects Site Kit by Google. Google Site Kit is a Google WordPress.

ADVERTISEMENT
CONTINUE READING BELOW

Google Site Kit displays information about your site within the WordPress Admin dashboard. It aggregates information from Google Search Console (GSC), Google Analytics, AdSense, Page Speed Insights and other Google tools.

Researchers at WordFence (@wordfence) discovered the vulnerability, notified Google then published an announcement after the plugin was updated.

According to the announcement:

“This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console.

Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.”

Google Site Kit VulnerabilityGoogle Site Kit VulnerabilityGoogle Site Kit is a WordPress plugin that displays Google AdSense, Analytics and GSC data within the WordPress Admin area.

Privilege Escalation Vulnerability

The vulnerability affecting Google Site Kit is a Privilege Escalation exploit. This kind of exploit requires that an attacker to be registered on the WordPress site (for example, as a subscriber) in order to take advantage of a security hole.

ADVERTISEMENT
CONTINUE READING BELOW

Ordinarily a registered user at the subscriber level has minimal privileges on a website. The vulnerability however allows an attacker to gain admin level site privileges, to escalate their site access privileges.

The vulnerability was discovered by WordFence security researcher Chloe Chamberland on April 21, 2020 and reported to Google on the same day. A patch was issued by Google on May 7, 2020

According to WordFence vulnerability researcher Chloe Chamberland:

“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important.

When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end users.

As the space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all. “

ADVERTISEMENT
CONTINUE READING BELOW

Subscribers to the WordFence Premium security plugin would have been protected from this exploit on the same day that it was discovered, weeks before the patch was issued by Google.

Google Site Kit Versions Affected

This vulnerability affects Google Site Kit versions that are lower than version 1.8.0.

Google Site Kit 1.8.0 has been fully patched. It is strongly recommended that users update their plugin immediately.

Google Site Kit Plugin VulnerabilityGoogle Site Kit Plugin Vulnerability

Google’s Site Kit WordPress plugin changelog clearly states that version 1.8.0 has a security update and it strongly recommends users update.

ADVERTISEMENT
CONTINUE READING BELOW

Read the official announcement:

Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access

No Comments

Sorry, the comment form is closed at this time.