A critical bug found in Google’s official WordPress plugin with 300,000 active installations could allow attackers to gain owner access to targeted sites’ Google Search Console.
Site Kit is a WordPress plugin designed by Google to help site owners to gain insight on how their visitors use and find their website via official stats collected from multiple Google tools and displayed directly in the WordPress dashboard.
The plugin also makes it easier to set up and configure key Google products such as the Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense.
Privilege escalation vulnerability
The Google Search Console Privilege Escalation vulnerability was discovered by the Wordfence Threat Intelligence team on April 21 and reported to the Google Security team on April 22.
As Wordfence details, the bug is caused by the disclosure of the proxySetupURL within the HTML source code of admin pages, an URL used to connect the Site Kit plugin to the Google Search Console through Google OAuth.
This was coupled with another issue where “the verification request used to verify a site’s ownership was a registered admin action” did not have any capability checks allowing for such requests to come from any authenticated WordPress user.
“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” Wordfence explains.
Once an attacker would’ve gained owner access to a site’s Google Search Console, they could use it to their advantage in multiple ways, including the option to:
“Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results,” Wordfence added.
“More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”
Mitigation and defense measures
Fortunately, Google will automatically send notification emails to site owners whenever new Google Search Console owners are added to a site saying that “Property owners can change critical settings that affect how Google Search interacts with your site or app.”
Just in case that email alert might have landed in your email account Spam folder, Wordfence provides detailed instructions on how to verify the integrity of Google Search Console ownership to check if a rogue owner has been added by a malicious attacker and remove them.
As an extra precaution, you can also reset your WordPress Site Kit connection so that you will have to reconnect all previously connected Google services.
Google patched the vulnerability on May 7 with the release of Site Kit 1.8.0, after a patch for the security flaw was made public in the plugin’s Github Repository on May 4.
All Site Kit users are urged to immediately update their installation to the 1.8.0 version, the latest available fully patched version.
Unfortunately, while almost 200,000 website owners have updated their Site Kit plugins since the patch was released almost a week ago, over 100,000 sites are still exposed to attacks attempting to exploit this vulnerability.