CVE-2024-3495

Published May 22, 2024

Last updated a year ago

CVSS critical 9.8
WordPress

Overview

Description
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-3495 : CRITICAL WORDPRESS SQL INJECTION ALERT 🚨 An unauthenticated SQL injection vulnerability has been disclosed in the Country State City Dropdown CF7 WordPress plugin, exploitable via exposed AJAX endpoints and requiring no authentication or user interaction.

    @OstorlabSec

    6 Feb 2026

    58 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. Post 5/30 : CVE-2024-3495 - SQLi 1. Find wp-admin.ajax 2. Find out nonce : curl "Target-url" | grep nonce 3. exploit and get version curl -sk 'https://<TARGET>/wp-admin/admin-ajax.php' \ -d "action=tc_csca_get_states" \ -d "nonce_ajax=VALID-NONCE" \ -d "cnt=1 OR 0 UNION

    @h4x0r_fr34k

    23 Oct 2025

    10682 Impressions

    50 Retweets

    271 Likes

    221 Bookmarks

    6 Replies

    0 Quotes

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.CVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.CVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.CVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.CVE-2025-8085

References

Sources include official advisories and independent security research.