CVE-2013-5020

MiniBB < 3.0.1 - Cross-Site Scripting via forum_name, forum_group, forum_icon, or forum_desc Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5020. PoCs published by Netsparker.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in miniBB 3.0.0 via unsanitized parameters in multiple functions, allowing attackers to extract sensitive data like MySQL version and admin credentials.

Description

Multiple cross-site scripting (XSS) vulnerabilities in bb_admin.php in MiniBB before 3.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_name, (2) forum_group, (3) forum_icon, or (4) forum_desc parameter. NOTE: the whatus vector is already covered by CVE-2008-2066.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Netsparker · textwebappsphp
https://www.exploit-db.com/exploits/38639

The exploit demonstrates SQL injection vulnerabilities in miniBB 3.0.0 via unsanitized parameters in multiple functions, allowing attackers to extract sensitive data like MySQL version and admin credentials.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: miniBB 3.0.0
Auth required
Prerequisites: Access to a user account with posting privileges · WordPress admin access for certain exploits
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/61116
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/95122
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Jul/102

Scores

EPSS 0.0186
EPSS Percentile 76.6%

Details

CWE
CWE-79
Status published
Products (1)
minibb/minibb < 3.0
Published Jul 31, 2013
Tracked Since Feb 18, 2026