CVE-2018-3811

CRITICAL LAB

Oturia Smart Google Code Inserter < 3.5 - SQL Injection

Title source: rule

Description

SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Benjamin Lim · textwebappsphp

https://www.exploit-db.com/exploits/43420

View Code ZIP pw:eip

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2018-3811

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/smart-google-code-inserter/#developers

[Third Party Advisory, VDB Entry] https://wpvulndb.com/vulnerabilities/8988

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43420/

Scores

CVSS v3 9.8

EPSS 0.3140

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-wordpress

https://github.com/cved-sources/cve-2018-3811

View in Library

Details

CWE

CWE-89

Status published

Products (1)

oturia/smart_google_code_inserter < 3.5

Published Jan 01, 2018

Tracked Since Feb 18, 2026