CVE-2020-8934: 
WordPress vulnerability analysis and mitigation

The Site Kit by Google plugin for WordPress contains a Sensitive Information Disclosure vulnerability (CVE-2020-8934) in versions up to and including 1.8.0. The vulnerability was discovered by Chloe Chamberland and publicly disclosed on May 21, 2020. This security flaw affects the WordPress plugin's admin functionality (NVD, WPScan).

The vulnerability stems from the lack of capability checks on the admin_enqueue_scripts action which displays the connection key. The issue has a CVSS v3.1 Base Score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can impact confidentiality but not integrity or availability (NVD).

The vulnerability allows authenticated attackers with any level of access to obtain owner access to a site in the Google Search Console. This means that even users with minimal privileges could potentially gain administrative-level access to the site's search console functionality (WPScan).

The recommended mitigation is to upgrade to version 1.8.1 or above of the Site Kit by Google plugin (NVD).