9.8
CVE-2018-3810
- EPSS 91.48%
- Veröffentlicht 01.01.2018 06:29:00
- Zuletzt bearbeitet 21.11.2024 04:06:04
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginSmart Google Code Inserter < 3.5 - Stored Cross-Site Scripting
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Mögliche Gegenmaßnahme
Smart Google Code Inserter: Update to version 3.5, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oturia ≫ Smart Google Code Inserter SwPlatformwordpress Version < 3.5
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Smart Google Code Inserter
Version
[*, 3.5)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.48% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://limbenjamin.com/articles/smart-google-code-inserter-auth-bypass.html
https://wordpress.org/plugins/smart-google-code-inserter/#developers
https://wpvulndb.com/vulnerabilities/8987
https://www.exploit-db.com/exploits/43420/
https://www.wordfence.com/threat-intel/vulnerabilities/id/c3f3e56e-bbb6-4ceb-811d-447ed837d176