In late April Wordfence found a important vulnerability in Google’s Site Kit plugin for WordPress that might make it attainable for any consumer on the location to achieve full entry to the Google Search Console with out verifying possession. Google patched the vulnerability and launched the repair in model 1.8.zero on Might 7, 2020.
Wordfence published a timeline of the vulnerability, describing it as a proxySetupURL disclosure:
With the intention to set up the primary reference to Website Equipment and Google Search Console, the plugin generates a proxySetupURL that’s used to redirect a website’s administrator to Google OAuth and run the location proprietor verification course of via a proxy. As a result of lack of functionality checks on the admin_enqueue_scripts motion, the proxySetupURL was displayed as a part of the HTML supply code of admin pages to any authenticated consumer accessing the /wp-admin dashboard.
The opposite side of the vulnerability is said to the location possession verification request, which used a registered admin motion that was lacking functionality checks. In consequence, any authenticated WordPress consumer was able to initiating the request.
Wordfence recognized a number of methods a malicious attacker may use this vulnerability to the detriment of the location’s rating and fame, together with manipulating search engine outcomes, requesting removing of a competitor’s URLs from the search engine, modifying sitemaps, viewing efficiency knowledge, and extra.
The safety fixes should not detailed within the plugin’s changelog on GitHub. It does, nonetheless, embody a observe on the high that states, “This launch contains safety fixes. An replace is strongly advisable.” Google has not revealed a publish to inform customers on the news part of the plugin’s official web site. With out Wordfence’s public disclosure, customers could not know in regards to the significance of the replace.
Google’s Site Kit plugin has greater than 400,000 energetic installs, based on WordPress.org. Particulars of the 1.8.zero replace should not obtainable to customers within the admin, because the plugin’s changelog is hosted on GitHub. There isn’t any means for customers to know that the replace contains safety fixes with out clicking via to analysis. As a result of nice deal of delicate data to which attackers may acquire entry, customers are suggested to replace the plugin as quickly as attainable.