As is well known, open-source software has as many advocates as it does critics. One of the main arguments used by the latter is always security. While open-source code offers many advantages, it also presents undeniable risks. That’s why it’s crucial to thoroughly verify the source of any plugins you install on your WordPress site. Unfortunately, even trusted solutions from well-known developers can contain vulnerabilities. Recently, an embarrassing oversight affected none other than Google itself…
Wordfence issues a warning
The issue was detected and disclosed by the Wordfence Security team – the developers of the most popular firewall, with over 3 million active installations on WordPress sites.
The warning concerns the Site Kit plugin, developed by Google. The user community was informed about the vulnerability on April 21, when the plugin was active on over 300,000 websites. What was the problem? A discovered security flaw allowed any authenticated user, regardless of their privileges, to take control of the Google Search Console tool of any website with the active Site Kit plugin!
Site Kit vulnerability – what happened?
Site Kit by Google is a plugin designed to gather and display website analytics in the WordPress dashboard, including visitor insights, search performance, ad effectiveness, page speed statistics, and other data from Google services.
The integration is done by connecting the plugin to a Google account. By default, the plugin gains access to Google Search Console. For additional functionality, users can integrate it with Google Analytics, Google AdSense, Google PageSpeed Insights, Google Optimize, or Google Tag Manager.
To establish the initial connection between Site Kit and Google Search Console, the plugin generates a proxySetupURL. This redirects the website administrator to Google OAuth and initiates the site ownership verification process via a proxy. And here’s where the problem occurred…
Due to a lack of control over the execution capabilities of admin_enqueue_scripts, the proxySetupURL action was displayed as part of the HTML source code of admin pages, making it visible to any authenticated user accessing the /wp-admin dashboard. According to security standards, this issue is considered critical. Unauthorized access to Google Search Console can lead to site map modifications, page removals from Google’s search results (SERP), and even facilitate black hat SEO campaigns.
Security fix – how was the Site Kit issue resolved?
After discovering the vulnerability, the Wordfence team developed and deployed a firewall rule to protect their Premium users. This rule prevented exploitation of the Site Kit vulnerability. Google was, of course, promptly informed about the issue, but the patched version 1.8.0 wasn’t released until May 7. Now, two weeks later, Wordfence has made the firewall rule available to free users, and Site Kit has already received another update to version 1.8.1 (as of yesterday).
All Site Kit users who prioritize digital security are strongly advised to immediately update to the latest version. If you need additional assistance with this, our WordPress experts are available to help.
