CVE-2012-2332

Serendipity < 1.6.1 - SQL Injection via serendipity[plugin_to_conf] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2332. PoCs published by Stefan Schurtz.

AI-analyzed exploit summary This advisory describes a Cross-Site Scripting (XSS) and SQL Injection (SQLi) vulnerability in Serendipity 1.6. It provides proof-of-concept URLs for both vulnerabilities but does not include executable exploit code.

Description

SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).

Exploits (1)

exploitdb WRITEUP VERIFIED
by Stefan Schurtz · textwebappsphp
https://www.exploit-db.com/exploits/18884

This advisory describes a Cross-Site Scripting (XSS) and SQL Injection (SQLi) vulnerability in Serendipity 1.6. It provides proof-of-concept URLs for both vulnerabilities but does not include executable exploit code.

Classification
Writeup 100%
Attack Type
Xss | Sqli
Complexity
Trivial
Reliability
Reliable
Target: Serendipity 1.6
No auth needed
Prerequisites: Access to the target Serendipity backend
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

EPSS 0.0166
EPSS Percentile 73.7%

Details

CWE
CWE-89
Status published
Products (35)
s9y/serendipity 0.3
s9y/serendipity 0.4
s9y/serendipity 0.7
s9y/serendipity 0.7.1
s9y/serendipity 0.8
s9y/serendipity 0.8.1
s9y/serendipity 0.8.2
s9y/serendipity 0.8.3
s9y/serendipity 0.8.4
s9y/serendipity 0.8.5
... and 25 more
Published Aug 13, 2012
Tracked Since Feb 18, 2026