CVE-2026-10753
Deferred Deferred - Pending Action

Unauthorized Admin Setting Modification in Site Kit by Google WordPress Plugin

Vulnerability report for CVE-2026-10753, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: WPScan

Description

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
google site_kit to 1.176.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-10753 affects the Site Kit by Google plugin for WordPress versions prior to 1.176.0. It involves improper restriction of a REST API write endpoint, which allows users with Editor privileges (who have been granted dashboard sharing access) to modify a site-wide plugin setting that should only be editable by administrators.

This happens because the vulnerable endpoint incorrectly accepts the 'googlesitekit_view_dashboard' capability, which Editors have, instead of requiring the 'manage_options' capability reserved for administrators.

An attacker with Editor access can exploit this by sending a crafted POST request to disable the email reporting feature, which should only be controllable by admins.

The issue is classified as an incorrect authorization problem (CWE-863) and was fixed in version 1.176.0 by properly restricting the endpoint to administrators only.

Impact Analysis

This vulnerability allows users with Editor-level access, who normally should not have permission to change critical plugin settings, to modify site-wide configurations of the Site Kit by Google plugin.

Specifically, an attacker with such access can disable the email reporting feature by exploiting the REST API endpoint, potentially disrupting important site monitoring or reporting functions.

This could lead to unauthorized changes in site behavior and reduce the effectiveness of site management and monitoring tools.

Detection Guidance

This vulnerability can be detected by checking if your Site Kit by Google WordPress plugin version is prior to 1.176.0 and if users with Editor privileges have dashboard sharing access.

You can attempt to detect exploitation by monitoring for unauthorized POST requests to the vulnerable REST API write endpoint that modify site-wide plugin settings, such as disabling the email reporting feature.

A practical approach is to review your web server logs for POST requests to the Site Kit REST API endpoint from users with Editor roles.

  • Use curl to simulate a POST request as an Editor user to the REST API endpoint and check if the request succeeds or returns a 403 error.
  • Example command to test the endpoint (replace URL and authentication accordingly):
  • curl -X POST https://yourwordpresssite.com/wp-json/google-site-kit/v1/settings -H "Authorization: Bearer <editor_token>" -d '{"emailReportingEnabled":false}' -v

If the request succeeds and changes the setting, the site is vulnerable. If it returns a 403 Forbidden error, the site is patched or not vulnerable.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Site Kit by Google WordPress plugin to version 1.176.0 or later, where the REST API endpoint is properly restricted to administrators.

Until the update can be applied, restrict dashboard sharing permissions to trusted users only and avoid granting Editor roles dashboard sharing access.

Additionally, monitor and audit REST API requests to detect any unauthorized attempts to modify plugin settings.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart