Security News > 2020 > May > Flaw in WordPress Plugin Grants Access to Google Search Console
A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website.
During the initial connection with Google Search Console, the plugin generates a proxySetupURL through which the site admin is redirected to Google OAuth, and leverages a proxy to run the verification process.
"These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site," Defiant explains.
An attacker could abuse the Google Search Console owner access to manipulate SERPs through black-hat SEO, the researchers say.
"An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results," Defiant says.