agency experts have found a critical bug in the official Google WordPress Site Kit plugin that could give hackers access to landing pages in the Google search console.
The Site Kit’s WordPress plug-in enables easy configuration and installation of Google’s most important products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimization and AdSense). Users receive online information and up-to-date advice on how to succeed with more than 300,000 active installations.
Wordfence experts have found a critical bug in the Site Kit plugin, which can be used by authenticated attackers to give the owner access to the Google search console for target pages.
This disadvantage makes it possible for every authenticated user, regardless of the possibility, to become the owner of the Google Search Console for every site that uses the Sites Suite with the Google plug-in.
The vulnerability is caused by the disclosure of the proxySetupURL, which is included in the HTML source code of the administrator’s pages. It is used to redirect the administrator of the site to Google OAuth and start the process to check the owner of the site via a proxy.
To establish the first connection to the Site Kit and the Google search console, the plugin generates the proxySetupURL, which redirects the site administrator to Google OAuth and starts the process of controlling the site owner via a proxy server.
Due to the lack of performance validation of the admin_enqueue_scripts script, proxySetupURL was displayed in the HTML source code of the administration pages to any authenticated user accessing the /wp-admin control panel.
The experts also noted that another problem relating to the verification request used to check the ownership of the site was an action registered by the administrator who could not check whether the requests came from an authorised WordPress user.
Using two vulnerabilities, an attacker can take possession of Google’s search console, which allows him to change sitemaps, remove pages from Google’s search results pages (SERP) or activate a Black Hat SEO campaign.
Both disadvantages have enabled users at subscriber level to have the Google search console on any relevant site, Wordfence continues.
The owner of the Google search can z. B. Request for removal of URLs from Google search, viewing competitor performance data, changing sitemaps, etc. Illegal access to a site by the owner of the Google search engine can affect the visibility of the site in Google search results and affect profits because the attacker removes the URL from the search results. Specifically, it can be used to help a competitor who wants to harm the rating and reputation of the website to improve its own reputation and rating.
The good news is that Google sends an email when new owners are added to the Google search console, so administrators can remove the unknown owner.
As an additional precaution, the administrator can also reset the connection to the WordPress Site Kit so that all previously connected Google services must be reconnected.
Wordfence discovered on the 21st. April a problem with escalating privileges and reported it on the 22nd. April at Google.
Google discovered the vulnerability on the 7th. The month of May ended with the release of the 1.8.0 site kit.
At the time of writing, more than 200,000 website owners have updated their Site Kit plug-ins, but more than 100,000 websites are still vulnerable.
(Security issues – Site Kit, Hacking)