Description
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
Published: 2026-06-24
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Site Kit by Google WordPress plugin before version 1.176.0, a REST API write endpoint is not correctly limited to administrators. Users with lower privileges who have been granted dashboard sharing access, such as Editors, can therefore alter site‑wide settings that are intended to be modifiable only by administrators. This permits a non‑admin user to change critical configuration values without permission, potentially compromising the intended security posture of the site.

Affected Systems

The affected product is Site Kit by Google for WordPress. All releases prior to 1.176.0 are vulnerable. No specific patch release is listed, but the vulnerability is mitigated by updating to 1.176.0 or later, which restores proper administrator‑only access to the REST API endpoint.

Risk and Exploitability

The EPSS score is <1% and the vulnerability is not listed in CISA KEV. The CVSS score of 2.7 indicates a low severity, but the described weakness allows any user with dashboard sharing permissions to modify settings they are not meant to control. Attackers can exploit this by authenticating as an Editor or similar role and issuing requests to the vulnerable REST API endpoint. No external prerequisites beyond normal authentication are noted, so exploitation is likely straightforward once a user holds dashboard sharing rights.

Generated by OpenCVE AI on June 24, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Site Kit by Google to version 1.176.0 or later.
  • Restrict dashboard sharing permissions for non‑administrative roles or remove sharing access where it is unnecessary.
  • Regularly audit and review site‑wide settings to detect and correct unauthorized changes, and monitor logs for anomalous REST API activity.

Generated by OpenCVE AI on June 24, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google site Kit By Google
Wordpress
Wordpress wordpress
Vendors & Products Google
Google site Kit By Google
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
Title Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update
References

Subscriptions

Google Site Kit By Google
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-24T13:10:11.079Z

Reserved: 2026-06-03T14:06:52.170Z

Link: CVE-2026-10753

cve-icon Vulnrichment

Updated: 2026-06-24T13:09:42.663Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:00:17Z

Weaknesses