Google WordPress Site Kit Plugin Grants Search Console AccessSecurity Affairs

    agency experts have found a critical bug in the official Google WordPress Site Kit plugin that could give hackers access to landing pages in the Google search console.

    The Site Kit’s WordPress plug-in enables easy configuration and installation of Google’s most important products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimization and AdSense). Users receive online information and up-to-date advice on how to succeed with more than 300,000 active installations.

    Wordfence experts have found a critical bug in the Site Kit plugin, which can be used by authenticated attackers to give the owner access to the Google search console for target pages.

    This disadvantage makes it possible for every authenticated user, regardless of the possibility, to become the owner of the Google Search Console for every site that uses the Sites Suite with the Google plug-in.

    scope of services

    The vulnerability is caused by the disclosure of the proxySetupURL, which is included in the HTML source code of the administrator’s pages. It is used to redirect the administrator of the site to Google OAuth and start the process to check the owner of the site via a proxy.

    To establish the first connection to the Site Kit and the Google search console, the plugin generates the proxySetupURL, which redirects the site administrator to Google OAuth and starts the process of controlling the site owner via a proxy server.

    Due to the lack of performance validation of the admin_enqueue_scripts script, proxySetupURL was displayed in the HTML source code of the administration pages to any authenticated user accessing the /wp-admin control panel.

    The experts also noted that another problem relating to the verification request used to check the ownership of the site was an action registered by the administrator who could not check whether the requests came from an authorised WordPress user.

    Using two vulnerabilities, an attacker can take possession of Google’s search console, which allows him to change sitemaps, remove pages from Google’s search results pages (SERP) or activate a Black Hat SEO campaign.

    Both disadvantages have enabled users at subscriber level to have the Google search console on any relevant site, Wordfence continues.

    The owner of the Google search can z. B. Request for removal of URLs from Google search, viewing competitor performance data, changing sitemaps, etc. Illegal access to a site by the owner of the Google search engine can affect the visibility of the site in Google search results and affect profits because the attacker removes the URL from the search results. Specifically, it can be used to help a competitor who wants to harm the rating and reputation of the website to improve its own reputation and rating.

    The good news is that Google sends an email when new owners are added to the Google search console, so administrators can remove the unknown owner.

    As an additional precaution, the administrator can also reset the connection to the WordPress Site Kit so that all previously connected Google services must be reconnected.

    Wordfence discovered on the 21st. April a problem with escalating privileges and reported it on the 22nd. April at Google.

    Google discovered the vulnerability on the 7th. The month of May ended with the release of the 1.8.0 site kit.

    At the time of writing, more than 200,000 website owners have updated their Site Kit plug-ins, but more than 100,000 websites are still vulnerable.

    Pierluigi Paganini

    (Security issues – Site Kit, Hacking)




    Recent Articles

    Inflammatory skin diseases

    INFLAMMATORY SKIN DISEASES AND THEIR TREATMENT The most common and important inflammatory skin diseases include neurodermatitis, psoriasis, acne and rosacea. We are also aware of many...

    Unravel the XDR Noise and Recognize a Proactive Approach

      Cybersecurity professionals know this drill nicely all too nicely. Making sense of heaps of info and noise to entry what actually issues. XDR (Prolonged Detection & Response) has been a technical acronym thrown round within the cybersecurity business with many notations and...

    PLATYPUS: Hackers Can Obtain Crypto Keys by Monitoring CPU Power Consumption

      Researchers have disclosed the small print of a brand new side-channel assault technique that can be utilized to acquire delicate data from a system...

    The Container configurations in Amazon ECS

      Revealed: November 7, 2020 | Modified: November 7, 2020 | Zero views A fast put up on superior container configurations in Amazon ECS. ECS container superior...

    Antivirus Testing – VIPRE for your Home and Business

      Individuals typically marvel, “What’s one of the best antivirus?” A number of distributors will declare that their product is one of the best within...

    Related Stories