CVE-2026-10753 | THREATINT

Description

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

PUBLISHED Reserved 2026-06-03 | Published 2026-06-24 | Updated 2026-06-24 | Assigner WPScan

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 1.176.0

affected

Credits

Shashank finder

WPScan coordinator

References

wpscan.com/...rability/824a5c04-c7d6-4286-a499-48452db4d002/ exploit vdb-entry technical-description

cve.org (CVE-2026-10753)

nvd.nist.gov (CVE-2026-10753)

Download JSON