Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated…
mitre·CWE-287·Published 2018-01-01
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
Vulnerabilidad de omisión de autenticación en el plugin Smart Google Code Inserter de Oturia en versiones anteriores a la 3.5 para WordPress permite que los atacantes no autenticados inserten código JavaScript o HTML arbitrario (mediante el parámetro sgcgoogleanalytic) que se ejecutaría en todas las páginas servidas por WordPress. La función saveGoogleCode() en smartgooglecode.php no comprueba si la petición actual la realiza un usuario autorizado, permitiendo que cualquier usuario no autenticado actualice con éxito el código insertado.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.5 | 10.0 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| 3.0 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |