A critical vulnerability found in Google’s official WordPress plugin, Site Kit, could allow intruders access to Google Search Console to the targeted site.
The plugin, which has over 400,000 installations, is used to configure various Google products that offer insights like web traffic, revenue from advertisements, website speed and optimization into WordPress.
The Google Search Console Privilege Escalation vulnerability, which has now been fixed, was rated as critical as it could not only let the hackers access the Search Console but also modify sitemaps or tamper with search engine result pages (SERPs).
Vulnerable plugin
According to experts at Wordfence, after connecting with the Search console for the first time, the plugin generates a proxySetupURL which directs the web admin to Google OAuth to run a verification process by leveraging a proxy.
Another issue where “the verification request used to verify a site’s ownership was a registered admin action” could not verify the request’s authenticity. Combined, these flaws “made it possible for subscriber-level users to become Google Search Console owners on any affected site,” stated the researchers.
Once hackers gained access of the Google Search Console, they could run black hat SEO campaigns by manipulating search engine result pages, inject malicious code for illicit monetization and modify sitemaps. It also allows unauthorized access to view competitive performance data as well as remove web pages from Google search engine result pages.
Google has now released a patched version of the Site Kit plugin by adding capability checks and an ability to verify that the request was sent during a legitimate authenticated session. Additionally, it will now alert Search Console owners whenever a new owner is added to the console as an additional security.
Via: BleepingComputer
