CVE-2014-9240

MyBB 1.8.x < 1.8.2 - SQL Injection via member.php question_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9240.

AI-analyzed exploit summary The provided exploit demonstrates multiple vulnerabilities in MyBB 1.8.X, including SQL Injection via the 'question_id' parameter and several XSS vulnerabilities (reflected and stored). The SQLi exploit uses error-based techniques to extract database information, while the XSS exploits leverage unsanitized input in various parameters.

Description

SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/35224

View Code ZIP pw:eip

The provided exploit demonstrates multiple vulnerabilities in MyBB 1.8.X, including SQL Injection via the 'question_id' parameter and several XSS vulnerabilities (reflected and stored). The SQLi exploit uses error-based techniques to extract database information, while the XSS exploits leverage unsanitized input in various parameters.

Classification

Working Poc 100%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB 1.8.X (tested on 1.8.1)

No auth needed

Prerequisites: Access to the MyBB registration or report pages · Ability to send crafted HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_confirm

http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html

Scores

EPSS 0.0348

EPSS Percentile 87.6%

Details

CWE

CWE-89

Status published

Products (2)

mybb/mybb 1.8.0

mybb/mybb 1.8.1

Published Dec 03, 2014

Tracked Since Feb 18, 2026