In late April Wordfence discovered a critical vulnerability in Google’s Site Kit plugin for WordPress that would make it possible for any user on the site to gain full access to the Google Search Console without verifying ownership. Google patched the vulnerability and released the fix in version 1.8.0 on May 7, 2020.
Wordfence published a timeline of the vulnerability, describing it as a proxySetupURL disclosure:
In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy. Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.
The other aspect of the vulnerability is related to the site ownership verification request, which used a registered admin action that was missing capability checks. As a result, any authenticated WordPress user was capable of initiating the request.
Wordfence identified several ways a malicious attacker might use this vulnerability to the detriment of the site’s ranking and reputation, including manipulating search engine results, requesting removal of a competitor’s URLs from the search engine, modifying sitemaps, viewing performance data, and more.
The security fixes are not detailed in the plugin’s changelog on GitHub. It does, however, include a note at the top that states, “This release includes security fixes. An update is strongly recommended.” Google has not published a post to notify users on the news section of the plugin’s official website. Without Wordfence’s public disclosure, users may not know about the importance of the update.
Google’s Site Kit plugin has more than 400,000 active installs, according to WordPress.org. Details of the 1.8.0 update are not available to users in the admin, since the plugin’s changelog is hosted on GitHub. There is no way for users to know that the update includes security fixes without clicking through to research. Due to the great deal of sensitive information to which attackers could gain access, users are advised to update the plugin as soon as possible.
9.1 CVSS score (low attack complexity, low privilege required, high impact) and barely a mention of it in the official changelog.