Impact
In the Site Kit by Google WordPress plugin before version 1.176.0, a REST API write endpoint is not correctly limited to administrators. Users with lower privileges who have been granted dashboard sharing access, such as Editors, can therefore alter site‑wide settings that are intended to be modifiable only by administrators. This permits a non‑admin user to change critical configuration values without permission, potentially compromising the intended security posture of the site.
Affected Systems
The affected product is Site Kit by Google for WordPress. All releases prior to 1.176.0 are vulnerable. No specific patch release is listed, but the vulnerability is mitigated by updating to 1.176.0 or later, which restores proper administrator‑only access to the REST API endpoint.
Risk and Exploitability
The EPSS score is <1% and the vulnerability is not listed in CISA KEV. The CVSS score of 2.7 indicates a low severity, but the described weakness allows any user with dashboard sharing permissions to modify settings they are not meant to control. Attackers can exploit this by authenticating as an Editor or similar role and issuing requests to the vulnerable REST API endpoint. No external prerequisites beyond normal authentication are noted, so exploitation is likely straightforward once a user holds dashboard sharing rights.
OpenCVE Enrichment