CVE-2024-30498
published 2024-03-29CVE-2024-30498: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks…
PriorityP269critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
2.27%
80.8th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks CRM Perks Forms.This issue affects CRM Perks Forms: from n/a through 1.1.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crm_perks | crm_perks_forms | n/a – 1.1.4 | — |
| crmperks | crm_perks_forms | < 1.1.5 | 1.1.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP 200 response with Content-Type text/html and body containing JSON status ok indicates successful SQL injection exploitation of CRM Perks Forms
- →Response body containing the string '"status":"ok"' can be used to confirm successful exploitation of the SQLi vulnerability in CRM Perks Forms
- →SQL injection probe using a single-quote payload (value ending in 8') can be used to detect the vulnerability in CRM Perks Forms input fields
- ·The vulnerability affects CRM Perks Forms from n/a through version 1.1.4; versions above 1.1.4 are not stated to be affected
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
CRM Perks Forms <= 1.1.4 - SQL Injection
nuclei·CVSS 10.0
CVE-2024-30498 [CRITICAL] CRM Perks Forms <= 1.1.4 - SQL Injection
CRM Perks Forms = 8'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "\"status\":\"ok\"")'
condition: and
# digest: 4b0a00483046022100d9cd924ec6afa4e83fe78a45e3b778abbfccfa9b50305eeddc5352ed867a296d022100845d5999b2f934129f78b6bd09c0c189887d9506b03c9b2352cf008202a29352:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-4-unauthenticated-sql-injection-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-4-unauthenticated-sql-injection-vulnerability?_s_id=cve
2024-03-29
Published