Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access



Description
"This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin."
Proof of Concept The PoC will be displayed on May 27, 2020, to give users the time to update.

Affects Plugin

fixed in version 1.8.0

References

URL https://www.wordfence.com/blog/2020/05/vulnerability-in-google-wordpress-plugin-grants-attacker-search-console-access/
Youtube Video

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://wordfence.com
Submitter Twitter infosecchloe
Views 1133
Verified No
WPVDB ID 10224

Timeline

Publicly Published 2020-05-13 (13 days ago)
Added 2020-05-13 (12 days ago)
Last Updated 2020-05-15 (10 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin