CVE-2024-38773

CRITICAL NUCLEI

FormLift for Infusionsoft Web Forms <= 7.5.17 - Unauthenticated Blind SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-38773. PoCs published by Sechunt3r. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional cURL commands and a Nuclei template demonstrating unauthenticated SQL injection in FormLift for Infusionsoft Web Forms via the 'form_id' parameter. The PoC includes time-based blind SQLi techniques for data extraction.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.

Exploits (1)

github WORKING POC

by Sechunt3r · shellpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2024-38773

View Code ZIP pw:eip

The repository contains functional cURL commands and a Nuclei template demonstrating unauthenticated SQL injection in FormLift for Infusionsoft Web Forms via the 'form_id' parameter. The PoC includes time-based blind SQLi techniques for data extraction.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: FormLift for Infusionsoft Web Forms <= 7.5.17

No auth needed

Prerequisites: WordPress site with vulnerable FormLift plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 09, 2026 Full analysis →

Nuclei Templates (1)

FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

Shodan: html:"/wp-content/plugins/formlift/"

FOFA: body="/wp-content/plugins/formlift/"

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/formlift/wordpress-formlift-plugin-7-5-17-unauthenticated-blind-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0199

EPSS Percentile 78.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

Adrian Tobey/FormLift for Infusionsoft Web Forms < 7.5.17

formlift/formlift_for_infusionsoft_web_forms < 7.5.18

Published Jul 22, 2024

Tracked Since Feb 18, 2026