CVE-2024-3495

CRITICAL EXPLOITED NUCLEI

Country State City Dropdown CF7 <2.7.2 - SQL Injection

Title source: llm

Exploitation Summary

CVE-2024-3495 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including truonghuuphuc, zomasec. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2024-3495, an unauthenticated SQL injection vulnerability in the Country State City Dropdown CF7 WordPress plugin. The exploit automates the extraction of database information by leveraging the 'cnt' and 'sid' parameters in AJAX requests.

Description

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (2)

nomisec WORKING POC 8 stars

by truonghuuphuc · infoleak

https://github.com/truonghuuphuc/CVE-2024-3495-Poc

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-3495, an unauthenticated SQL injection vulnerability in the Country State City Dropdown CF7 WordPress plugin. The exploit automates the extraction of database information by leveraging the 'cnt' and 'sid' parameters in AJAX requests.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Country State City Dropdown CF7 WordPress plugin <= 2.7.2

No auth needed

Prerequisites: Target must have the vulnerable plugin installed · Target must be accessible via HTTP/HTTPS

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 1 stars

by zomasec · poc

https://github.com/zomasec/CVE-2024-3495-POC

View Code ZIP pw:eip

The repository describes an SQL Injection vulnerability in the Country State City Dropdown CF7 WordPress plugin (versions up to 2.7.2) via the 'cnt' and 'sid' parameters. The lack of proper escaping and prepared statements allows unauthenticated attackers to append malicious SQL queries.

Classification

Writeup 80%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Country State City Dropdown CF7 WordPress plugin <= 2.7.2

No auth needed

Prerequisites: Access to the vulnerable WordPress plugin endpoint

MITRE ATT&CK

T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Wordpress Country State City Dropdown <=2.7.2 - SQL Injection

CRITICALVERIFIEDby apple

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L8

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3089374%40country-state-city-auto-dropdown%2Ftrunk&old=3068802%40country-state-city-auto-dropdown%2Ftrunk&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L22

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/17dcacaf-0e2a-4bef-b944-fb7e43d25777?source=cve

Scores

CVSS v3 9.8

EPSS 0.9324

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-02-25

CWE

CWE-89

Status published

Products (1)

trustyplugins/Country State City Dropdown CF7 < 2.7.2

Published May 22, 2024

Tracked Since Feb 18, 2026