CVE-2010-1859

DeluxeBB < 1.3 - SQL Injection via membercookie Cookie

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1859. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in DeluxeBB 1.3 and earlier by manipulating the 'memberid' cookie parameter to extract user credentials from the database. The payload uses a UNION-based SQLi technique to concatenate and retrieve username and password hashes.

Description

SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the membercookie cookie when adding a new thread.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Stefan Esser · textwebappsphp
https://www.exploit-db.com/exploits/33945

This exploit demonstrates an SQL injection vulnerability in DeluxeBB 1.3 and earlier by manipulating the 'memberid' cookie parameter to extract user credentials from the database. The payload uses a UNION-based SQLi technique to concatenate and retrieve username and password hashes.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: DeluxeBB 1.3 and earlier
No auth needed
Prerequisites: Access to the application's cookie parameter 'memberid'
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0083
EPSS Percentile 52.8%

Details

CWE
CWE-89
Status published
Products (9)
deluxebb/deluxebb 1.0
deluxebb/deluxebb 1.1
deluxebb/deluxebb 1.2
deluxebb/deluxebb 1.05
deluxebb/deluxebb 1.06
deluxebb/deluxebb 1.07
deluxebb/deluxebb 1.08
deluxebb/deluxebb 1.09
deluxebb/deluxebb < 1.3
Published May 07, 2010
Tracked Since Feb 18, 2026