Skip to main content

Site Kit by Google EUVDEUVD-2026-38695

| CVE-2026-10753 LOW
2026-06-24 WPScan GHSA-8rqq-v4wf-9qrm
2.7
CVSS 3.1 · Vendor: WPScan

Severity by source

Vendor (WPScan) PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
2.7 LOW

Requires explicit dashboard sharing grant (Editor-equivalent privilege, PR:H); only low integrity impact on plugin settings; no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 14:23 vuln.today
CVSS changed
Jun 24, 2026 - 14:22 NVD
2.7 (LOW)
Patch available
Jun 24, 2026 - 08:16 EUVD
CVE Published
Jun 24, 2026 - 06:00 cve.org
LOW 2.7
CVE Published
Jun 24, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

AnalysisAI

Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Editor with dashboard sharing
Delivery
Identify unprotected REST API write endpoint
Exploit
Craft unauthorized settings modification request
Execution
Submit request over network
Impact
Overwrite site-wide Site Kit setting

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions: (1) the target WordPress site must be running Site Kit by Google plugin at a version below 1.176.0; (2) the attacker must already possess a WordPress account that has been explicitly granted dashboard sharing access by an administrator - this is a non-default configuration, as dashboard sharing must be actively enabled and delegated; (3) network access to the WordPress REST API (typically the /wp-json/ path). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals converge on low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds WordPress Editor access or has been granted Site Kit dashboard sharing by an administrator sends a crafted authenticated REST API request directly to the vulnerable write endpoint, bypassing the intended administrator-only restriction. This allows them to silently alter a site-wide Site Kit setting - such as a Google Analytics property ID or Search Console verification - potentially redirecting analytics data to an attacker-controlled Google account. …
Remediation Update the Site Kit by Google WordPress plugin to version 1.176.0 or later; this is the vendor-released patch confirmed by WPScan (https://wpscan.com/vulnerability/824a5c04-c7d6-4286-a499-48452db4d002/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy