Description

WordPress Plugin Site Kit by Google is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently become a Google Search Console owner, allowing them to modify sitemaps, remove pages from Google search engine result pages (SERPs), or facilitate black hat SEO campaigns. WordPress Plugin Site Kit by Google version 1.7.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.8.0 or latest

References

https://www.wordfence.com/blog/2020/05/vulnerability-in-google-wordpress-plugin-grants-attacker-search-console-access/

https://github.com/google/site-kit-wp/releases/tag/1.8.0

Related Vulnerabilities

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-34170)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2007-4828)

Oracle Database Server CVE-2006-5340 Vulnerability (CVE-2006-5340)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43716)

WordPress Plugin Coupon Creator Cross-Site Request Forgery (3.1)

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass