The critical vulnerability was discovered by the Wordfence team on April 21st in Google Site Kit for WordPress plugin which grants the attacker Google Search Console access.
The Site Kit by Google is a plugin used to obtain and display insights on a site’s visitors and search performance as well as advertising performance, page speed insights and other metrics from Google services in the WordPress dashboard. The plugin was installed on 300,000 websites.
You can read a very detailed report by the Wordfence team on their blog.
What Should You Do
If you are under WordPress Managed Maintenance plan - we already have the latest version installed for you. You do need to check your Google Search Console though. Site Kit by Google provides functionality to reset a site’s connection with Site Kit. If you discover that a rogue Google Search Console owner has been added, then it is recommended taking the extra step to reset Site Kit by Google on your WordPress site (in Admin Settings of the plugin). All potentially affected clients on our maintenance plan were additionally notified by email.
If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!