CVE-2018-3810

Description

Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.

CVSS Version 3.0
CVSS Version 2.0

nvd
CVE ID: CVE-2018-3810
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

nvd
CVE ID: CVE-2018-3810
Base Score: 7.5
Base Severity: HIGH
Vector String:AV:N/AC:L/Au:N/C:P/I:P/A:P

Proof Of Concept

Nuclei Templates for CVE-2018-3810

Refrence: Project Discovery GitHub

lucad93

Refrence: GitHub

cved-sources

cve-2018-3810

Refrence: GitHub

nth347

Exploit for CVE-2018-3810

Refrence: GitHub

Refrence: NVD

Description​

Proof Of Concept​

Description

Proof Of Concept