Vulnerability detail

Enriched intelligence for a single CVE

9.8

CVSS
Critical

CVE-2018-3810

PUBLISHED

Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to...

PoC available Remote Low complexity No user interaction

Vendor: Oturia
Product: Smart Google Code Inserter
Published: Jan 01, 2018
EPSS: —

Description

Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.

nuclei_scanner

CVSS scores

CVSS v3.0 9.8 Critical

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Proof of concept available

Recorded 2018-03-29 14:04:11 UTC · Source

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL)	Jun 07, 2025

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-3810.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

nth347/CVE-2018-3810_exploit

github · Created 2021-07-30 10:06:04 UTC · 1 stars

Exploit for CVE-2018-3810

lucad93/CVE-2018-3810

github · Created 2018-03-29 14:04:11 UTC · 0 stars

Timeline

CVE ID Reserved

January 01, 2018
CVE Published to Public

January 01, 2018
Proof of Concept Exploit Available

March 29, 2018
Detected by Nuclei

April 25, 2025
Added to KEVIntel

June 07, 2025