When two big names like WordPress and Google have issues in their products, it reflects on thousands, if not millions of its users. A vulnerability disclosed by a threat intelligence team called Wordfence revealed that all WordPress sites using Google’s Site Kit, are exploitable via a bug in Google’s Search Console. While this was patched with the recent update, users should check for any other unknown persons having admin access into their sites and remove them for better.
Google Site Kit WordPress Plugin Can Give Hackers Admin Access
Bug Affecting Millions
WordPress is used by millions of people out there. And those all are motivated to one or other reasons like earning money through ads, spreading critical information, or simply showing up in Google. To help them, Google introduced a tool called Site Kit, which is a package that includes PageSpeed Insights, Tag Manager, Search Console, Analytics, AdSense and Optimize. All these help users to rank their site better in search results by connecting to all required Google products.
A problem surfaced by the Wordfence threat intelligence team on April 21st says, revealing the proxySetupURL that used to connect Site Kit plug-in to Search Console through Google OAuth. This was revealed in the HTML source code of admin pages. There’s another bug where the “verification request used to verify a site’s ownership was a registered admin action, that did not have any capability checks allowing for such requests to come from any authenticated WordPress user.”
Possible Exploitations and Patch
Google has already made a patch ( Site Kit version 1.8.0) to aid this issue, and recommend users to update to as soon as possible. Further, it’s advised to check the integrity of Search Console Ownership and see if there’s any rouge player accessed the site as owner.
Via: BleepingComputer
