CVE-2018-3811

CRITICAL LAB

Smart Google Code Inserter < 3.5 - Unauthenticated SQL Injection via oId Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-3811. PoCs published by Benjamin Lim, cved-sources.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass and SQL injection vulnerability in Smart Google Code Inserter WordPress plugin version 3.4. It includes curl commands to exploit unauthenticated code insertion and SQLi via unsanitized POST parameters.

Description

SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Benjamin Lim · textwebappsphp
https://www.exploit-db.com/exploits/43420

The exploit demonstrates an authentication bypass and SQL injection vulnerability in Smart Google Code Inserter WordPress plugin version 3.4. It includes curl commands to exploit unauthenticated code insertion and SQLi via unsanitized POST parameters.

Classification
Working Poc 100%
Attack Type
Sqli | Auth Bypass | Xss
Complexity
Trivial
Reliability
Reliable
Target: Smart Google Code Inserter < 3.5
No auth needed
Prerequisites: WordPress installation with vulnerable plugin · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2018-3811

This repository provides a Docker container setup for CVE-2018-3811, a vulnerability in the Smart Google Code Inserter WordPress plugin. The script initializes a WordPress environment with MySQL and activates the vulnerable plugin, making it ready for exploitation testing.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Smart Google Code Inserter plugin
No auth needed
Prerequisites: Docker environment · WordPress installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://wpvulndb.com/vulnerabilities/8988
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/smart-google-code-inserter/#developers
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43420/

Scores

CVSS v3 9.8
EPSS 0.4291
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull cved/base-wordpress

Details

CWE
CWE-89
Status published
Products (1)
oturia/smart_google_code_inserter < 3.5
Published Jan 01, 2018
Tracked Since Feb 18, 2026