We were alerted to a vulnerability in Site Kit which could allow users without administrator privileges on WordPress to verify ownership of a site they’re registered to in Search Console. As soon as we found out about this, we tracked down the root cause and released a security patch in version 1.8.0 on May 7, as well as additional security enhancements in version 1.8.1 on May 19.
If you’re using Site Kit version 1.8.0 or below, we strongly recommend you upgrade to 1.8.1 as soon as possible.
We’ve worked with the wordpress.org team to automatically update Site Kit for existing users to 1.8.1.
Is this issue affecting my site?
This issue is only applicable if your site has non-Admin user accounts on WordPress. If you are the only person with access to your site or all users on your site have administrator access, you are not affected.
What can I do to protect my site?
Here’s what you can do to make sure everything is ok for your site:
- Update Site Kit to version 1.8.1, if you haven’t already done so.
- After the update, Site Kit will check for any unauthorized user accounts that placed a verification token and disconnect them.
- Regardless of the update routine, we recommend you check the Users and Permissions section of Search Console Settings for any new users that you don’t recognise.
Search Console also sends an email to all verified owners every time a new user has been added as a site owner. Search your inbox for an email from the Google Search Console Team with the subject “New owner for <your site URL>”.
If you see any unexpected new users listed as site owners in Search Console:
- Update Site Kit to version 1.8.1
- Remove these users from Search Console: in the Users and Permissions section, click “Manage property owners” next to the name of the specific user. You’ll be redirected to a page with the full list of all verified users: click “Unverify” to remove that user.
If a malicious user has gained access to Search Console and removed you from the list of owners, you can regain access as follows:
- Log in to your WordPress site and upgrade Site Kit to 1.8.1
- Complete Site Kit setup (a new verification token will be placed for your account)
- Remove the unauthorized user from Search Console: in the Users and Permissions section, click “Manage property owners” next to the name of the specific user. You’ll be redirected to a page with the full list of all verified users: click “Unverify” to remove that user.
If you need more information, ask a question in the Support page in the WordPress plugin directory — we’re here to help!