CVE Catalog

CVE-2026-10753

LowCVSS 2.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

The Site Kit by Google WordPress plugin before version 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users (such as Editors) to modify a site-wide setting that should only be modifiable by administrators.

Risk Assessment

The risk is that users with limited privileges can change global plugin settings, potentially leading to unauthorized modifications of the Google analytics tool configuration on the site.

Recommendation

It is recommended to immediately update the Site Kit by Google plugin to version 1.176.0 or later, which fixes this vulnerability by properly restricting access to sensitive REST API endpoints.

Original NVD description (English source)

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS