CVE-2018-3810
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- January 01, 2018
- Published Date
- January 01, 2018
- Last Updated
- August 05, 2024
- Vendor
- Oturia
- Product
- Oturia Smart Google Code Inserter
- Description
- Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
- Tags
- Score
- 91.89% (Percentile: 99.67%) as of 2025-06-10
- Exploited in the Wild
- Yes (2025-05-13 00:00:00 UTC) Source
CVSS Scores
CVSS v3.0
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Score
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-13 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-3810.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
nth347/CVE-2018-3810_exploit
Type: github • Created: 2021-07-30 10:06:04 UTC • Stars: 1
lucad93/CVE-2018-3810
Type: github • Created: 2018-03-29 14:04:11 UTC • Stars: 0
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel