Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access | CVE 2020-8934

Description

This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.

Proof of Concept

Steps to reproduce:
1. Log in as a subscriber on target WordPress site. 
2. View the page source of /wp-admin and command+f to search for "proxySetupURL"
3. Copy the URL that should look something like: https:\/\/sitekit.withgoogle.com\/site-management\/setup\/?scope=openid%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsiteverification%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fwebmasters&supports=credentials_retrieval%20short_verification_token%20file_verification&nonce=e12d949e42&site_id=hEVXBN2U4AdD8fH-wr9d7b3PbeDw3HFP.apps.sitekit.withgoogle.com 
4. Open the previously copied URL in a new tab.  
5. Sign in with any Google account and just follow the prompts - the site will be added to your search console at the end.