Expert commentary: Google WordPress plugin bug can be exploited for black hat SEO

Following reports from Bleeping Computer, a critical bug found in Google’s official WordPress plugin with 300,000 active installations could allow attackers to gain owner access to targeted sites’ Google Search Console. The bug is caused by the disclosure of the proxySetupURL within the HTML source code of admin pages, an URL used to connect the Site Kit plugin to the Google Search Console through Google OAuth. This was coupled with another issue where “the verification request used to verify a site’s ownership was a registered admin action” did not have any capability checks allowing for such requests to come from any authenticated WordPress user.


EXPERTS COMMENTS
Martin Jartelius, CSO ,  Outpost24
May 15, 2020
It should be patched at the soonest possible.
It should be noted that this vulnerability does require attackers to have a non admin account on the site, and that the “critical” rating is a result of the researchers gauging this as a complete loss of confidentiality. Taking a more modest perspective on that as while sensitive this in no way a complete loss of confidentiality, this is a medium level risk. Of course, it should be patched at ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article