CVE-2018-3810

CRITICAL EXPLOITED NUCLEI LAB

Smart Google Code Inserter < 3.5 - Unauthenticated Arbitrary Code Insertion via sgcgoogleanalytic Parameter

Title source: llm

Exploitation Summary

CVE-2018-3810 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Benjamin Lim, nth347, cved-sources. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass and SQL injection vulnerability in Smart Google Code Inserter WordPress plugin version 3.4. It includes curl commands to exploit unauthenticated code insertion and SQLi via unsanitized POST parameters.

Description

Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Benjamin Lim · textwebappsphp

https://www.exploit-db.com/exploits/43420

View Code ZIP pw:eip

The exploit demonstrates an authentication bypass and SQL injection vulnerability in Smart Google Code Inserter WordPress plugin version 3.4. It includes curl commands to exploit unauthenticated code insertion and SQLi via unsanitized POST parameters.

Classification

Working Poc 100%

Attack Type

Sqli | Auth Bypass | Xss

Complexity

Trivial

Reliability

Reliable

Target: Smart Google Code Inserter < 3.5

No auth needed

Prerequisites: WordPress installation with vulnerable plugin · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by nth347 · remote

https://github.com/nth347/CVE-2018-3810_exploit

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass leading to XSS in WordPress Smart Google Code plugin. It injects malicious JavaScript to exfiltrate cookies via Telegram API.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Smart Google Code plugin (version not specified)

No auth needed

Prerequisites: Target WordPress site with vulnerable Smart Google Code plugin · Network access to the target · Telegram API token and chat ID for exfiltration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2018-3810

View Code ZIP pw:eip

This repository provides a Docker container setup for CVE-2018-3810, a vulnerability in the Smart Google Code Inserter WordPress plugin. The script initializes a WordPress environment with MySQL and activates the vulnerable plugin.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Smart Google Code Inserter WordPress plugin

No auth needed

Prerequisites: Docker environment · WordPress installation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by lucad93 · poc

https://github.com/lucad93/CVE-2018-3810

View Code ZIP pw:eip

This PoC demonstrates a stored XSS vulnerability in the Smart Google Code plugin for WordPress. It injects a malicious script via the 'sgcgoogleanalytic' parameter, which is then executed when the page is accessed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Smart Google Code plugin for WordPress (version not specified)

Auth required

Prerequisites: WordPress with Smart Google Code plugin installed · Admin access to WordPress dashboard

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oturia WordPress Smart Google Code Inserter <3.5 - Authentication Bypass

CRITICALby princechaddha

References (4)

Core 4

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/smart-google-code-inserter/#developers

Exploit, Third Party Advisory x_refsource_misc

https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html

Third Party Advisory, VDB Entry x_refsource_misc

https://wpvulndb.com/vulnerabilities/8987

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43420/

Scores

CVSS v3 9.8

EPSS 0.9148

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-wordpress

https://github.com/lucad93/CVE-2018-3810

https://github.com/cved-sources/cve-2018-3810

https://github.com/nth347/CVE-2018-3810_exploit

View in Library

Details

VulnCheck KEV 2023-11-27

CWE

CWE-287

Status published

Products (1)

oturia/smart_google_code_inserter < 3.5

Published Jan 01, 2018

Tracked Since Feb 18, 2026