CVE-2007-1979

xoops_popnupblog < 2.52 - SQL Injection via postid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1979. PoCs published by ajann.

AI-analyzed exploit summary This is a client-side JavaScript exploit for a blind SQL injection vulnerability in XOOPS Module PopnupBlog. It automates the extraction of the admin password by testing ASCII values of characters in the password.

Description

SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later versions such as 3.03 and 3.05 might also be affected.

Exploits (1)

exploitdb WORKING POC VERIFIED
by ajann · htmlwebappsphp
https://www.exploit-db.com/exploits/3655

This is a client-side JavaScript exploit for a blind SQL injection vulnerability in XOOPS Module PopnupBlog. It automates the extraction of the admin password by testing ASCII values of characters in the password.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: XOOPS Module PopnupBlog <= 2.52
No auth needed
Prerequisites: Target must be running XOOPS Module PopnupBlog <= 2.52 · JavaScript must be enabled in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3655
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24761
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1206
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23286

Scores

EPSS 0.0217
EPSS Percentile 79.9%

Details

Status published
Products (1)
xoops/xoops_popnupblog < 2.52
Published Apr 12, 2007
Tracked Since Feb 18, 2026