Security Experts:

Connect with us

Hi, what are you looking for?



Flaw in WordPress Plugin Grants Access to Google Search Console

A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website.

A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website.

The plugin, Site Kit by Google, was designed to provide site admins with information on how people find and use their websites, providing insights from critical Google tools, straight to the WordPress dashboard. The plugin has over 400,000 active installations.

The recently identified security flaw, which has already been patched by Google, is rated critical severity and has a CVSS score of 9.1. It could allow an attacker to obtain owner access to the Search Console and modify sitemaps or tamper with search engine result pages (SERPs).

During the initial connection with Google Search Console, the plugin generates a proxySetupURL through which the site admin is redirected to Google OAuth, and leverages a proxy to run the verification process.

The proxySetupURL, the Wordfence Threat Intelligence team at Defiant discovered, was displayed as part of the HTML source code of admin pages and could be viewed by any authenticated user who accessed the /wp-admin dashboard.

Additionally, the security researchers say, the verification request was found to be a registered admin action that had no capability checks. Thus, any authenticated user, even one with minimal permissions, could send verification requests.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” Defiant explains.

Google addressed the vulnerabilities with the release of version 1.8.0 of Site Kit with the addition of capability checks to prevent the proxySetupURL from being displayed to unauthorized users and to verify that the verification request sent during a legitimate authenticated session came from a user with administrative permissions.

An attacker could abuse the Google Search Console owner access to manipulate SERPs through black-hat SEO, the researchers say. The attacker could also combine the vulnerability with another exploit that provides the ability to inject malicious content on the site, for monetization.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results,” Defiant says.

Related: Vulnerabilities in ‘Page Builder’ Plugin Expose 1 Million WordPress Websites

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.