CVE-2015-1576

u5CMS < 3.9.3 - SQL Injection via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1576. PoCs published by LiquidWorm.

AI-analyzed exploit summary The document describes multiple SQL injection vulnerabilities in u5CMS versions 3.9.3 and 3.9.2, detailing affected parameters and endpoints. It provides HTTP request examples but lacks executable exploit code.

Description

Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow remote attackers to execute arbitrary SQL commands via the name parameter to (1) copy2.php, (2) localize.php, (3) metai.php, (4) nc.php, (5) new2.php, or (6) rename2.php in u5admin/; (7) c parameter to u5admin/editor.php; (8) typ parameter to u5admin/meta2.php; or (9) newname parameter to u5admin/rename2.php.

Exploits (1)

exploitdb WRITEUP

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/36027

View Code ZIP pw:eip

The document describes multiple SQL injection vulnerabilities in u5CMS versions 3.9.3 and 3.9.2, detailing affected parameters and endpoints. It provides HTTP request examples but lacks executable exploit code.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Theoretical

Target: u5CMS 3.9.3 and 3.9.2

No auth needed

Prerequisites: Access to vulnerable u5CMS endpoints

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/130326/u5CMS-3.9.3-SQL-Injection.html

Exploit x_refsource_misc

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5225.php

Scores

EPSS 0.0213

EPSS Percentile 79.5%

Details

CWE

CWE-89

Status published

Products (1)

yuba/u5cms < 3.9.3

Published Feb 11, 2015

Tracked Since Feb 18, 2026