cbcvebase.
CVE-2018-3810
published 2018-01-01

CVE-2018-3810: Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert…

PriorityP194critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.48%
99.8th percentile
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.

Affected

1 ranges
VendorProductVersion rangeFixed in
oturiasmart_google_code_inserter< 3.53.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/options-general.php?page=smartcode
commandaction=savegooglecode&sgcgoogleanalytic=<script...>&sgcwebtools=&button=Save+Changes
commandaction=saveadwords&delconf=1&oId[]=1 OR 1=1--&ppccap[]=ex:mywplead&ppcpageid[]=1&ppccode[]=bb&nchkdel1=on
pathsmartgooglecode.php
  • Detect unauthenticated POST requests to /options-general.php?page=smartcode with body containing 'sgcgoogleanalytic=' and 'savegooglecode' — the core auth-bypass exploit path for CVE-2018-3810.
  • A secondary SQL injection vector exists via the 'saveadwords' action with the 'oId[]' parameter; monitor POST bodies containing 'action=saveadwords' with SQL metacharacters (e.g., OR 1=1--).
  • For nuclei-style active detection, verify injected payload persistence by issuing a GET to the site root and checking the response body for the injected JavaScript string.
  • The vulnerable function saveGoogleCode() in smartgooglecode.php performs no authorization check; any unauthenticated POST with action=savegooglecode will succeed on unpatched installs (< 3.5).
  • ·The Snort/ET rule (sid:2033637) requires SSL decryption to be effective against HTTPS-protected WordPress installations, as noted in the rule metadata.
  • ·The nuclei probe injects a live JavaScript payload (console.log/alert) into the target site during detection; use only in authorized testing environments as it modifies site content.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.