A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website.
The plugin, Site Kit by Google, was designed to provide site admins with information on how people find and use their websites, providing insights from critical Google tools, straight to the WordPress dashboard. The plugin has over 400,000 active installations.
The recently identified security flaw, which has already been patched by Google, is rated critical severity and has a CVSS score of 9.1. It could allow an attacker to obtain owner access to the Search Console and modify sitemaps or tamper with search engine result pages (SERPs).
During the initial connection with Google Search Console, the plugin generates a proxySetupURL through which the site admin is redirected to Google OAuth, and leverages a proxy to run the verification process.
The proxySetupURL, the Wordfence Threat Intelligence team at Defiant discovered, was displayed as part of the HTML source code of admin pages and could be viewed by any authenticated user who accessed the /wp-admin dashboard.
Additionally, the security researchers say, the verification request was found to be a registered admin action that had no capability checks. Thus, any authenticated user, even one with minimal permissions, could send verification requests.
“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” Defiant explains.
Google addressed the vulnerabilities with the release of version 1.8.0 of Site Kit with the addition of capability checks to prevent the proxySetupURL from being displayed to unauthorized users and to verify that the verification request sent during a legitimate authenticated session came from a user with administrative permissions.
An attacker could abuse the Google Search Console owner access to manipulate SERPs through black-hat SEO, the researchers say. The attacker could also combine the vulnerability with another exploit that provides the ability to inject malicious content on the site, for monetization.
“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results,” Defiant says.
Related: Vulnerabilities in ‘Page Builder’ Plugin Expose 1 Million WordPress Websites
Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites
Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin
