Following reports from Bleeping Computer, a 300, 000 active installation of dangerous bug has been found in Google’s official WordPress plugin. Attributed to the disclosure of the proxySetupURL within the HTML source code of admin pages, this enables hackers to have owner access to the site’s Google Search Console. Not only that, but “the verification request used to verify a site’s ownership was a registered admin action” fails to have any capability checks. Thus, such requests can come from any authenticated WordPress user.
It should be noted that this vulnerability does require attackers to have a non admin account on the site, and that the “critical” rating is a result of the researchers gauging this as a complete loss of confidentiality. Taking a more modest perspective on that as while sensitive this in no way a complete loss of confidentiality, this is a medium level risk. Of course, it should be patched at the soonest possible, but for many installations it is not exploitable, and for those where it is, the impact is bad but far from disastrous.