Expert commentary: Black Hat SEO in Danger for Utilization of the Google WordPress Plugin Bug

By   muhammad malik
Chief Editor , Information Security Buzz | May 14, 2020 11:18 pm PST

Following reports from Bleeping Computer, a 300, 000 active installation of dangerous bug has been found in Google’s official WordPress plugin. Attributed to the disclosure of the proxySetupURL within the HTML source code of admin pages, this enables hackers to have owner access to the site’s Google Search Console. Not only that, but “the verification request used to verify a site’s ownership was a registered admin action” fails to have any capability checks. Thus,  such requests can come from any authenticated WordPress user.


Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Martin Jartelius
InfoSec Expert
May 15, 2020 7:21 am

It should be noted that this vulnerability does require attackers to have a non admin account on the site, and that the “critical” rating is a result of the researchers gauging this as a complete loss of confidentiality. Taking a more modest perspective on that as while sensitive this in no way a complete loss of confidentiality, this is a medium level risk. Of course, it should be patched at the soonest possible, but for many installations it is not exploitable, and for those where it is, the impact is bad but far from disastrous.

Last edited 3 years ago by Martin Jartelius

Recent Posts

Would love your thoughts, please comment.x