A new critical vulnerability that should be seriously considered by SEO people was just discovered.
There’s a critical bug in the official WordPress plugin of Google called Site Kit, which has more than 300,000 active installations. The bug could allow malicious hackers to obtain owner access to the Google Search Console of targeted WordPress sites.
More about Site Kit
As explained by Google, Site Kit is designed to make it easy to set up and configure key Google products, such as Google Analytics, Google Search Console, PageSpeed Insights, and Google AdSense.
In other words, Site Kit helps WordPress site owners to help understand how their visitors use their sites via official statistics gathered by Google tools and displayed in the WordPress dashboard.
More about the critical Search Console bug
As already mentioned, the bug in question is described as privilege escalation. In short, privilege escalation occurs when a threat actor exploits a bug, design flaw, or configuration error in an application or operating system with the purpose of obtaining elevated access to areas that are typically unavailable.
So, what does this bug do? “This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin,” explain Wordfence researchers.
The security team issues a report with Google on April 21, and fortunately, a patch was released on May 7. The issue is considered critical because it could lead to malicious hackers gaining owner access to a WordPress site in Google Search Console.
With owner access, malicious actors can modify sitemaps, remove pages from SERPs, and even initiate black hat SEO campaigns. To avoid any of this from happening, site owners should update to the latest version of this plugin, which currently is Site Kit by Google version 1.8.0.
Technical details of the vulnerability are also available, thanks to the Wordfence security team.