CVE-2026-10753

We just found and disclosed CVE-2026-10753 in Google's Site Kit, the official Google plugin running on 5M+ WordPress sites.

Our team caught a broken access control flaw that slipped past everyone else.

One REST API write endpoint checked for view level access when it should have required admin. That single line let an Editor with dashboard sharing flip a sitewide setting they were never meant to touch. Every sibling endpoint in the same controller already required admin capability. One route drifted out of step.

Running Site Kit? Update to 1.176.0 or later.

Read for a deeper understanding: https://t.co/35js3wGHTE