CVE-2014-9254

MiniBB < 3.1 - SQL Injection via Unsubscribe Code Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9254. PoCs published by Kacper Szurek.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in miniBB 3.1 due to insufficient input validation in the `code` parameter. The PoC uses a time-based SQL injection to infer password characters.

Description

bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php.

Exploits (1)

exploitdb WORKING POC

by Kacper Szurek · textwebappsphp

https://www.exploit-db.com/exploits/35579

View Code ZIP pw:eip

This exploit demonstrates a blind SQL injection vulnerability in miniBB 3.1 due to insufficient input validation in the `code` parameter. The PoC uses a time-based SQL injection to infer password characters.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: miniBB 3.1

No auth needed

Prerequisites: Access to the target miniBB installation

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/61794

Vendor Advisory x_refsource_confirm

http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

Exploit x_refsource_misc

http://security.szurek.pl/minibb-31-blind-sql-injection.html

Scores

EPSS 0.0131

EPSS Percentile 66.8%

Details

CWE

CWE-89

Status published

Products (1)

minibb/minibb < 3.1

Published Dec 31, 2014

Tracked Since Feb 18, 2026