WordPress Plugin Vulnerabilities

Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update

Description

The plugin does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide plugin setting that should only be modifiable by administrators.

Proof of Concept

Affects Plugins

Plugin icon
google-site-kit
Fixed in 1.176.0

References

CVE
CVE-2026-10753
URL
https://github.com/google/site-kit-wp/pull/12349

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Shashank
Submitter
Shashank
Submitter website
https://credshields.com/
Submitter twitter
cyberboyIndia
Verified
Yes
WPVDB ID
824a5c04-c7d6-4286-a499-48452db4d002

Timeline

Publicly Published
2026-06-03 (about 10 days ago)
Added
2026-06-03 (about 9 days ago)
Last Updated
2026-06-03 (about 9 days ago)

Other

Published
Title
Published
2019-02-26
Title
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
Published
2024-03-01
Title
GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access
Published
2023-11-28
Title
WCMultiShipping < 2.3.8 - Subscriber+ Arbitrary Account Credentials Test
Published
2025-04-09
Title
SureForms < 1.4.4 - Contributor+ Settings Update
Published
2023-07-14
Title
Export and Import Users and Customers < 2.4.2 - Shop Manager+ Privilege Escalation