CVE-2024-38773 CRITICAL

CVE-2024-38773: WordPress formlift plugin <= 7.5.17 - Unauthenticated Blind SQL Injection vulnerability

Vendor Adrian Tobey

Product FormLift for Infusionsoft Web Forms

Weakness CWE-89 · SQLi

Published July 22, 2024

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.

Key dates

02Disclosure timeline

July 22, 2024 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-38773

Related vulnerabilities

04Related CVE

CVE-2026-2413 Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path CVE-2026-3456 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey' CVE-2025-14090 AMTT Hotel Broadband Operation System cardmake_down.php sql injection CVE-2024-7369 SourceCodester Simple Realtime Quiz System Login ajax.php sql injection CVE-2024-12935 code-projects Simple Admin Panel editItemForm.php sql injection

Identifiers

CVE CVE-2024-38773

CWE CWE-89

CVSS 9.3 / CRITICAL

Affected versions

Vendor Adrian Tobey

Product FormLift for Infusionsoft Web Forms

Affected ≥ n/a and ≤ 7.5.17