Executive Summary

The vulnerability CVE-2026-10753 affects the Site Kit by Google plugin for WordPress versions prior to 1.176.0. It involves improper restriction of a REST API write endpoint, which allows users with Editor privileges (who have been granted dashboard sharing access) to modify a site-wide plugin setting that should only be editable by administrators.

This happens because the vulnerable endpoint incorrectly accepts the 'googlesitekit_view_dashboard' capability, which Editors have, instead of requiring the 'manage_options' capability reserved for administrators.

An attacker with Editor access can exploit this by sending a crafted POST request to disable the email reporting feature, which should only be controllable by admins.

The issue is classified as an incorrect authorization problem (CWE-863) and was fixed in version 1.176.0 by properly restricting the endpoint to administrators only.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows users with Editor-level access, who normally should not have permission to change critical plugin settings, to modify site-wide configurations of the Site Kit by Google plugin.

Specifically, an attacker with such access can disable the email reporting feature by exploiting the REST API endpoint, potentially disrupting important site monitoring or reporting functions.

This could lead to unauthorized changes in site behavior and reduce the effectiveness of site management and monitoring tools.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Site Kit by Google WordPress plugin version is prior to 1.176.0 and if users with Editor privileges have dashboard sharing access.

You can attempt to detect exploitation by monitoring for unauthorized POST requests to the vulnerable REST API write endpoint that modify site-wide plugin settings, such as disabling the email reporting feature.

A practical approach is to review your web server logs for POST requests to the Site Kit REST API endpoint from users with Editor roles.

• Use curl to simulate a POST request as an Editor user to the REST API endpoint and check if the request succeeds or returns a 403 error.
• Example command to test the endpoint (replace URL and authentication accordingly):
• curl -X POST https://yourwordpresssite.com/wp-json/google-site-kit/v1/settings -H "Authorization: Bearer <editor_token>" -d '{"emailReportingEnabled":false}' -v

If the request succeeds and changes the setting, the site is vulnerable. If it returns a 403 Forbidden error, the site is patched or not vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Site Kit by Google WordPress plugin to version 1.176.0 or later, where the REST API endpoint is properly restricted to administrators.

Until the update can be applied, restrict dashboard sharing permissions to trusted users only and avoid granting Editor roles dashboard sharing access.

Additionally, monitor and audit REST API requests to detect any unauthorized attempts to modify plugin settings.

Useful 0 Not Useful 0