AI description
Automated description summarized from trusted sources.
CVE-2024-3495 is a SQL Injection vulnerability found in the Country State City Dropdown CF7 plugin for WordPress. The plugin is used to provide cascading dropdown menus for country, state, and city selection in forms. The vulnerability exists in versions up to and including 2.7.2. The vulnerability is due to insufficient escaping on user-supplied parameters, specifically the 'cnt' and 'sid' parameters, and a lack of sufficient preparation in the existing SQL query. This allows unauthenticated attackers to append additional SQL queries, potentially extracting sensitive information from the database. The issue is present in the `tc_csca_get_cities` function in the `admin-ajax.php` file.
- Description
- The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending