Following reports from Bleeping Computer, a 300, 000 active installation of dangerous bug has been found in Google’s official WordPress plugin. Attributed to the disclosure of the proxySetupURL within the HTML source code of admin pages, this enables hackers to have owner access to the site’s Google Search Console. Not only that, but “the verification request used to verify a site’s ownership was a registered admin action” fails to have any capability checks. Thus, such requests can come from any authenticated WordPress user.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
