CVE-2014-2022

vBulletin < 4.2.2 - Authenticated SQL Injection via XMLRPC API conceptid Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2022. PoCs published by tintinweb.

AI-analyzed exploit summary This exploit leverages a SQL injection vulnerability in vBulletin 4.x via the breadcrumbs_create API endpoint. It allows an authenticated attacker to write arbitrary files to the server, including a PHP shell, by injecting SQL commands into the 'conceptid' parameter.

Description

SQL injection vulnerability in includes/api/4/breadcrumbs_create.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request.

Exploits (1)

exploitdb WORKING POC
by tintinweb · pythonwebappsphp
https://www.exploit-db.com/exploits/40115

This exploit leverages a SQL injection vulnerability in vBulletin 4.x via the breadcrumbs_create API endpoint. It allows an authenticated attacker to write arbitrary files to the server, including a PHP shell, by injecting SQL commands into the 'conceptid' parameter.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 4.x (verified up to 4.2.2)
Auth required
Prerequisites: Valid API key for vBulletin · MySQL user with write permissions to a web-accessible directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031001
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70417
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Oct/56

Scores

EPSS 0.0271
EPSS Percentile 84.1%

Details

CWE
CWE-89
Status published
Products (3)
vbulletin/vbulletin 4.2.0 pl2
vbulletin/vbulletin 4.2.1
vbulletin/vbulletin < 4.2.2
Published Oct 15, 2014
Tracked Since Feb 18, 2026