What We Know About The Vulnerability In Google Site Kit WordPress Plugin
- 14 May, 2020
- Jason Ferry
- SEO experts
Just recently, a serious vulnerability in the Google Site Kit WordPress plugin was found, which was fixed later on. This issue enables an attacker to rapidly increase website privileges, as well as change site maps, target a victim’s search visibility, and so on. Now, what more should SEO experts and webmasters understand about this problem?
Google Site Kit WordPress Plugin
Considered as a Google WordPress, the Site Kit is said to be affected by the vulnerability.
Google Site Kit generally shows data about a website in the WordPress Admin dashboard. It gathers the data from Google Analytics, Page Speed Insights, Google Search Console (GSC), AdSense, and other tools by Google.
WordFence’s researchers noticed the said issue and reported it to Google. Prior to updating the plugin, an announcement was released.
The announcement reads:
“This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console.
Owner access allows an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns”
Privilege Escalation Vulnerability
The vulnerability impacting Site Kite is said to be a Privilege Escalation exploit. This particular exploit only works if the attacker is registered, such as a subscriber, on the WordPress site. In such cases, the attacker can find or create a security hole.
Registering as a subscriber such generally provide limited access on websites. Due to the vulnerability, attackers are able to access admin level website privileges that they are not entitled to.
Chloe Chamberland, security researcher in WordFence, uncovered the issue on 21 April and notified Google right away. Google Google released a security patch to fix it on 7 May.
This is Chamberland’s statement about the issue:
“Connecting two systems, like a WordPress site and Google’s site ownership tools, always comes with some degree of risk. Ensuring the integration between both systems is secured is critically important.
When companies like Google have an easy-to-find vulnerability disclosure policy in place, it helps researchers get fixes out quickly to end users.
As the space matures, we’re seeing more developers publishing clear Vulnerability Disclosure Policies, but more needs to be done to ensure that security researchers and developers can quickly connect and make the web safer for us all “
Those that subscribe to the WordFence Premium security plugin would have benefited from same day protection from the exploit weeks prior to the patch released by Google.
Versions Of Site Kit Impacted By The Issue
The vulnerability can impact those versions below 1.8.0. As for Site Kit version 1.8.0, it has been completely patched. Nevertheless, it is advised to still update the plugin as soon as possible.
Again, the changelog of Google Site Kit WordPress plugin does confirm that the 1.8.0 version now holds a security update.
What Does Google Say About Merging Or Splitting Sites Being A Website Creation
In a tweet, John Mueller of Google stated that merging or splitting a website is like "essentially creating a new site". This raises the question that if the website merge or split is deemed necessary, will Google opt to view it as a new website creation? And perhaps, not carry over all of the sites legacy signals?
This is what Mueller said about such action looking more like a website creation:
This SEO blog was based on the news from https://www.searchenginejournal.com/google-site-kit-vulnerability/367970/ and https://www.seroundtable.com/google-merging-or-splitting-sites-29446.html.
With the assistance of the right SEO agency, you can effortlessly improve your website's SERPs rankings. Want to know how our team can help? Visit Position1SEO homepage today.