CVE-2024-30498

CRITICAL NUCLEI

CRM Perks Forms <= 1.1.4 - Unauthenticated SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-30498. PoCs published by Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-30498, an unauthenticated SQL injection vulnerability in CRM Perks Forms for WordPress. The exploit includes a YAML-based Nuclei template and a Bash script that demonstrates time-based blind SQL injection via the 'form_id' parameter.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.

Exploits (1)

github WORKING POC
by Sechunt3r · shellpoc
https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2024-30498

This repository contains a functional exploit for CVE-2024-30498, an unauthenticated SQL injection vulnerability in CRM Perks Forms for WordPress. The exploit includes a YAML-based Nuclei template and a Bash script that demonstrates time-based blind SQL injection via the 'form_id' parameter.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: CRM Perks Forms WordPress plugin <= 1.1.4
No auth needed
Prerequisites: WordPress site with CRM Perks Forms plugin <= 1.1.4 installed
devstral-2 · analyzed Mar 08, 2026 Full analysis →

Nuclei Templates (1)

CRM Perks Forms <= 1.1.4 - SQL Injection
CRITICALVERIFIEDby Shivam Kamboj

References (1)

Core 1

Scores

CVSS v3 9.3
EPSS 0.0227
EPSS Percentile 80.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
CRM Perks/CRM Perks Forms < 1.1.4
crmperks/crm_perks_forms < 1.1.5
Published Mar 29, 2024
Tracked Since Feb 18, 2026