Get Started for Free
  1. SEJ
  2.  » 
  3. News

Google Site Kit WordPress Plugin Vulnerability

Critical vulnerability discovered in Google Site Kit WordPress plugin.

Google Site Kit WordPress Plugin Vulnerability

A vulnerability was discovered in Google’s Site Kit WordPress plugin and subsequently patched.

The vulnerability allows an attacker to escalate site privileges and attack a victims search visibility,  alter site maps and more.

Google Site Kit VulnerabilityGoogle Site Kit is a WordPress plugin that displays Google AdSense, Analytics and GSC data within the WordPress Admin area.

Google Site Kit WordPress Plugin

The vulnerability affects Site Kit by Google. Google Site Kit is a Google WordPress.

Continue Reading Below

Google Site Kit displays information about your site within the WordPress Admin dashboard. It aggregates information from Google Search Console (GSC), Google Analytics, AdSense, Page Speed Insights and other Google tools.

Researchers at WordFence (@wordfence) discovered the vulnerability, notified Google then published an announcement after the plugin was updated.

According to the announcement:

“This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console.

Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.”

Privilege Escalation Vulnerability

The vulnerability affecting Google Site Kit is a Privilege Escalation exploit. This kind of exploit requires that an attacker to be registered on the WordPress site (for example, as a subscriber) in order to take advantage of a security hole.

Continue Reading Below

Ordinarily a registered user at the subscriber level has minimal privileges on a website. The vulnerability however allows an attacker to gain admin level site privileges, to escalate their site access privileges.

The vulnerability was discovered by WordFence security researcher Chloe Chamberland on April 21, 2020 and reported to Google on the same day. A patch was issued by Google on May 7, 2020

According to WordFence vulnerability researcher Chloe Chamberland:

“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important.

When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end users.
As the space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all. “

Subscribers to the WordFence Premium security plugin would have been protected from this exploit on the same day that it was discovered, weeks before the patch was issued by Google.

Google Site Kit Versions Affected

This vulnerability affects Google Site Kit versions that are lower than version 1.8.0.

Google Site Kit 1.8.0 has been fully patched. It is strongly recommended that users update their plugin immediately.

Google Site Kit Plugin Vulnerability

Google’s Site Kit WordPress plugin changelog clearly states that version 1.8.0 has a security update and it strongly recommends users update.

Continue Reading Below

Read the official announcement:

Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access

More Resources


Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Topic(s) of Interest*
By clicking the "SUBSCRIBE" button, I agree and accept the content agreement and privacy policy of Search Engine Journal.

Roger Montti

Owner at

Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and ... [Read full bio]

Read the Next Article
Read the Next