CVE-2018-3811

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Smart Google Code Inserter
Vendor
CVE Published:
1 January 2018

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2018-3811
Created by cved-sources

References

https://wpvulndb.com/vulnerabilities/8988
x_refsource_MISC
https://wordpress.org/plugins/smart-google-code-inserter/...
x_refsource_MISC
https://limbenjamin.com/articles/smart-google-code-insert...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.