CVE-2026-10753
LowCVSS 2.7Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The Site Kit by Google WordPress plugin before version 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users (such as Editors) to modify a site-wide setting that should only be modifiable by administrators.
Risk Assessment
The risk is that users with limited privileges can change global plugin settings, potentially leading to unauthorized modifications of the Google analytics tool configuration on the site.
Recommendation
It is recommended to immediately update the Site Kit by Google plugin to version 1.176.0 or later, which fixes this vulnerability by properly restricting access to sensitive REST API endpoints.
Original NVD description (English source)
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

