Benjamin Lim

4 exploits Active since Sep 2017
CVE-2018-3810 EXPLOITDB CRITICAL text WORKING POC
Smart Google Code Inserter < 3.5 - Unauthenticated Arbitrary Code Insertion via sgcgoogleanalytic Parameter
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
CVSS 9.8
CVE-2018-3811 EXPLOITDB CRITICAL text WORKING POC
Smart Google Code Inserter < 3.5 - Unauthenticated SQL Injection via oId Parameter
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.
CVSS 9.8
CVE-2019-13344 EXPLOITDB MEDIUM text WORKING POC
CRUDLab WP Like Button <= 1.6.0 - Unauthenticated Settings Update via contains() Function
An authentication bypass vulnerability in the CRUDLab WP Like Button plugin through 1.6.0 for WordPress allows unauthenticated attackers to change settings. The contains() function in wp_like_button.php did not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update settings, as demonstrated by the wp-admin/admin.php?page=facebook-like-button each_page_url or code_snippet parameter.
CVSS 5.3
CVE-2017-14126 EXPLOITDB MEDIUM text WORKING POC
Participants Database < 1.7.5.10 - Cross-Site Scripting
The Participants Database plugin before 1.7.5.10 for WordPress has XSS.
CVSS 6.1