Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Requires explicit dashboard sharing grant (Editor-equivalent privilege, PR:H); only low integrity impact on plugin settings; no confidentiality or availability impact applies.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
AnalysisAI
Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions: (1) the target WordPress site must be running Site Kit by Google plugin at a version below 1.176.0; (2) the attacker must already possess a WordPress account that has been explicitly granted dashboard sharing access by an administrator - this is a non-default configuration, as dashboard sharing must be actively enabled and delegated; (3) network access to the WordPress REST API (typically the /wp-json/ path). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals converge on low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds WordPress Editor access or has been granted Site Kit dashboard sharing by an administrator sends a crafted authenticated REST API request directly to the vulnerable write endpoint, bypassing the intended administrator-only restriction. This allows them to silently alter a site-wide Site Kit setting - such as a Google Analytics property ID or Search Console verification - potentially redirecting analytics data to an attacker-controlled Google account. … |
| Remediation | Update the Site Kit by Google WordPress plugin to version 1.176.0 or later; this is the vendor-released patch confirmed by WPScan (https://wpscan.com/vulnerability/824a5c04-c7d6-4286-a499-48452db4d002/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38695
GHSA-8rqq-v4wf-9qrm