CVE-2024-3495

Name of the Vulnerable Software and Affected Versions Country State City Dropdown CF7 plugin for WordPress versions up to and including 2.7.2

Description The Country State City Dropdown CF7 plugin for WordPress is susceptible to SQL Injection through the cnt and sid parameters. Insufficient input validation and inadequate SQL query preparation allow unauthenticated attackers to inject additional SQL queries into existing database queries. This can lead to the extraction of sensitive information from the database. Approximately 4,000 instances of this plugin are found online, with some installations dating back nearly a year. Exploitation involves sending crafted requests to the /wp-admin/admin-ajax.php endpoint with malicious payloads in the cnt parameter, utilizing a valid nonce value. The tc csca get states action is used in the exploitation process.

Recommendations Versions up to and including 2.7.2 should be updated to a newer, secure version as soon as it becomes available. As a temporary workaround, consider disabling the plugin until a patch is available.