Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access

This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.

PoC

Steps to reproduce: 1. Log in as a subscriber on target WordPress site. 2. View the page source of /wp-admin and command+f to search for “proxySetupURL” 3. Copy the URL that should look something like: https://sitekit.withgoogle.com/site-management/setup/?scope=openid%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsiteverification%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fwebmasters&supports;=credentials_retrieval%20short_verification_token%20file_verification&nonce;=e12d949e42&site;_id=hEVXBN2U4AdD8fH-wr9d7b3PbeDw3HFP.apps.sitekit.withgoogle.com 4. Open the previously copied URL in a new tab. 5. Sign in with any Google account and just follow the prompts - the site will be added to your search console at the end.