Benjamin Lim

4 exploits Active since Sep 2017
CVE-2018-3810 EXPLOITDB CRITICAL text WORKING POC
Oturia Smart Google Code Inserter < 3.5 - Authentication Bypass
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
CVSS 9.8
CVE-2018-3811 EXPLOITDB CRITICAL text WORKING POC
Oturia Smart Google Code Inserter < 3.5 - SQL Injection
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.
CVSS 9.8
CVE-2019-13344 EXPLOITDB MEDIUM text WORKING POC
Crudlab WP Like Button < 1.6.0 - Missing Authentication
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
CVSS 5.3
CVE-2017-14126 EXPLOITDB MEDIUM text WORKING POC
WordPress <1.7.5.10 - XSS
The Participants Database plugin before 1.7.5.10 for WordPress has XSS.
CVSS 6.1