Vulnerabilities and security researches forgoogle-site-kit google-site-kit

Jun 07, 2024

CVE, Research URL: CVE-2020-8934
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: Jul 07, 2023
Research Description: The Site Kit by Google plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 1.8.0 This is due to the lack of capability checks on the admin_enqueue_scripts action which displays the connection key. This makes it possible for authenticated attackers with any level of access obtaining owner access to a site in the Google Search Console. We recommend upgrading to V1.8.1 or above.
Affected versions: max 1.8.0.
Status: vulnerable

CVE, Research URL: b9b7ace7c8988b97aac899303cb3b7f012df932f
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: May 13, 2020
Research Description: Site Kit by Google – Analytics, Search Console, AdSense, Speed [google-site-kit] < 1.8.0 WordPress Site Kit by Google plugin <= 1.7.1 - Privilege Escalation vulnerability Privilege Escalation vulnerability found by Chloe Chamberland in WordPress Site Kit by Google plugin (versions <= 1.7.1).
Affected versions: max 1.8.0.
Status: vulnerable

Jul 24, 2024

PSC, Research URL: PSC-2024-64512
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: Apr 08, 2025
Research Description: “Site Kit by Google” plugin, version 1.167.0, has successfully passed the Plugin Security Certification (PSC) from CleanTalk. This certification assures users of the plugin’s security and reliability, enabling WordPress site owners to integrate Google’s powerful tools with enhanced safety and performance.
Affected versions: Min 1.181.0, max 1.181.0.
Status: SAFE & CERTIFIED

Jun 15, 2026

CVE, Research URL: 6aac99ec913d183de2f9c4649f2eb663fd071c83
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: May 21, 2020
Research Description: Site Kit by Google – Analytics, Search Console, AdSense, Speed [google-site-kit] < 1.8.0 Site Kit by Google <= 1.7.1 - Sensitive Information Disclosure The Site Kit by Google plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 1.7.1. This is due to the lack of capability checks on the admin_enqueue_scripts action which displays the connection key. This makes it possible for authenticated attackers with any level of access obtaining owner access to a site in the Google Search Console.
Affected versions: max 1.8.0.
Status: vulnerable

CVE, Research URL: 9c1d386f-a55b-4042-8f1b-f37c508cdeb1
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: -
Research Description: Site Kit by Google – Analytics, Search Console, AdSense, Speed [google-site-kit] < 1.8.0 Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.
Affected versions: max 1.8.0.
Status: vulnerable

Jun 25, 2026

CVE, Research URL: CVE-2026-10753
Home page URL: Security reports for Site Kit by Google – Analytics, Search Console, AdSense, Speed
Application: Site Kit by Google – Analytics, Search Console, AdSense, Speed
Date: Jun 24, 2026
Research Description: The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
Affected versions: max 1.176.0.
Status: vulnerable