Vulnerability Details : CVE-2018-3810
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Vulnerability category: BypassGain privilege
Products affected by CVE-2018-3810
- cpe:2.3:a:oturia:smart_google_code_inserter:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-3810
73.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-3810
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-3810
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-3810
-
https://wpvulndb.com/vulnerabilities/8987
Smart Google Code Inserter <= 3.4 - Unauthenticated Cross-Site Scripting (XSS)Third Party Advisory;VDB Entry
-
https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html
Smart Google Code Inserter < 3.5 - Auth Bypass/SQLiExploit;Third Party Advisory
-
https://wordpress.org/plugins/smart-google-code-inserter/#developers
Smart Google Code Inserter – WordPress plugin | WordPress.orgRelease Notes;Third Party Advisory
-
https://www.exploit-db.com/exploits/43420/
WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL InjectionExploit;Third Party Advisory;VDB Entry
Jump to