CVE-2010-4940

WAnewsletter 2.1.2 - SQL Injection via id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4940. PoCs published by BrOx-Dz.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in WAnewsletter v2.1.2, allowing an attacker to extract admin credentials via a crafted UNION SELECT query. The PoC provides a direct URL to retrieve the username and password from the wa_admin table.

Description

SQL injection vulnerability in index.php in WAnewsletter 2.1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by BrOx-Dz · textwebappsphp
https://www.exploit-db.com/exploits/15090

This exploit demonstrates a SQL injection vulnerability in WAnewsletter v2.1.2, allowing an attacker to extract admin credentials via a crafted UNION SELECT query. The PoC provides a direct URL to retrieve the username and password from the wa_admin table.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WAnewsletter v2.1.2
No auth needed
Prerequisites: Access to the target URL with the vulnerable parameter
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/43440
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15090
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/61993
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.org/1009-exploits/wanewsletter-sql.txt
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8462

Scores

EPSS 0.0104
EPSS Percentile 59.7%

Details

CWE
CWE-89
Status published
Products (1)
wanewsletter/wanewsletter 2.1.2
Published Oct 09, 2011
Tracked Since Feb 18, 2026