Updated: Jul 5
GOOGLE WORDPRESS PLUGINS BUGS ALLOWS ATTACKER TO ACCESS SEAR.
Bugs in google WordPress plugins?
word fence team found a critical security bug with a CVSS score of 9.1 in the official Google plugin for WordPress. As per their blog spot, they found that the flaw in Site Kit by Google exposed the website’s Search Console.
Site Kit by Google is a dedicated plugin for WordPress, which allows the admins to see how the site performs. As of showing the stats, the plugin also facilitates the quick setup of Google tools. Presently, the plugin posses more than 400,000 active installations.
The bug existed due to a lack of capability check on the admin_enqueue_scripts action. This unveiled the proxySetupURL via the HTML source code of admin pages to authorized users with any privileges. Moreover, there also existed a similar lacking while handling verification requests from incoming users. This allowed any authenticated user to send verification requests without admin privileges.
Consequently, an adversary with authenticated user access to the /wp-admin dashboard could gain owner access to the website’s Search Console. Regarding the potential threats associated with the exploitation of this bug, the researchers stated, Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.