When two big names like WordPress and Google have issues in their products, it reflects on thousands, if not millions of its users. A vulnerability disclosed by a threat intelligence team called Wordfence revealed that all WordPress sites using Google’s Site Kit, are exploitable via a bug in Google’s Search Console. While this was patched with the recent update, users should check for any other unknown persons having admin access into their sites and remove them for better.
Bug Affecting Millions
WordPress is used by millions of people out there. And those all are motivated to one or other reasons like earning money through ads, spreading critical information, or simply showing up in Google. To help them, Google introduced a tool called Site Kit, which is a package that includes PageSpeed Insights, Tag Manager, Search Console, Analytics, AdSense and Optimize. All these help users to rank their site better in search results by connecting to all required Google products.
A problem surfaced by the Wordfence threat intelligence team on April 21st says, revealing the proxySetupURL that used to connect Site Kit plug-in to Search Console through Google OAuth. This was revealed in the HTML source code of admin pages. There’s another bug where the “verification request used to verify a site’s ownership was a registered admin action, that did not have any capability checks allowing for such requests to come from any authenticated WordPress user.”
Possible Exploitations and Patch
These bugs will allow attackers with even subscriber-level access to have privileges of Search Console owners. Thus, they make modifications to that site and pull down in the search results. The attacker, if intended, can perform blackhat SEO tricks, inject any malicious code and try removing the page completely from SERPs. If not these, he can simply view the site’s statistics to give an advantage to a competitor.
Google has already made a patch (Site Kit version 1.8.0) to aid this issue, and recommend users to update to as soon as possible. Further, it’s advised to check the integrity of Search Console Ownership and see if there’s any rouge player accessed the site as owner.