Lucene search

K
wpvulndbChloe ChamberlandWPVDB-ID:9C1D386F-A55B-4042-8F1B-F37C508CDEB1
HistoryMay 13, 2020 - 12:00 a.m.

Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access

2020-05-1300:00:00
Chloe Chamberland
wpscan.com
6

This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.

PoC

Steps to reproduce: 1. Log in as a subscriber on target WordPress site. 2. View the page source of /wp-admin and command+f to search for β€œproxySetupURL” 3. Copy the URL that should look something like: https://sitekit.withgoogle.com/site-management/setup/?scope=openid%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsiteverification%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fwebmasters&supports;=credentials_retrieval%20short_verification_token%20file_verification&nonce;=e12d949e42&site;_id=hEVXBN2U4AdD8fH-wr9d7b3PbeDw3HFP.apps.sitekit.withgoogle.com 4. Open the previously copied URL in a new tab. 5. Sign in with any Google account and just follow the prompts - the site will be added to your search console at the end.

CPENameOperatorVersion
google-site-kitlt1.8.0