CVE-2013-2945 in b2evolution
Summary
by MITRE
SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2026
The CVE-2013-2945 vulnerability represents a critical SQL injection flaw within the b2evolution blogging platform version 4.1.6 and earlier. This vulnerability exists in the blogs/admin.php file and specifically targets the show_statuses[] parameter, which is used for administrative operations within the platform's backend. The flaw allows authenticated administrators to execute arbitrary SQL commands, but more significantly, the vulnerability can be exploited through Cross-Site Request Forgery techniques to enable unauthenticated attackers to leverage the same malicious capabilities.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization of user-supplied data within the administrative interface. When the show_statuses[] parameter is processed, the application fails to properly escape or validate the input before incorporating it into SQL query constructions. This creates an environment where maliciously crafted input can manipulate the intended SQL execution flow and inject additional commands that the database will execute with the privileges of the application's database user.
The operational impact of this vulnerability is severe as it provides attackers with elevated privileges within the affected system. An authenticated administrator with malicious intent can directly manipulate database content, potentially leading to data theft, data corruption, or complete system compromise. Even more concerning is the CSRF exploitation vector that transforms this into a remote unauthenticated attack, allowing attackers to perform administrative actions without requiring valid login credentials. This broadens the attack surface significantly and makes the vulnerability particularly dangerous in environments where administrative access might be compromised or where attackers can trick users into executing malicious requests.
The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and it demonstrates characteristics consistent with ATT&CK technique T1078 for valid accounts and T1190 for exploitation of remote services. Organizations using affected versions of b2evolution face substantial risk of unauthorized database access and potential data breaches. The exploitation requires minimal technical expertise and can be automated, making it attractive to threat actors seeking to compromise web applications. Immediate patching to version 4.1.7 or later is essential to remediate this vulnerability.
Security professionals should implement additional protective measures such as input validation at multiple layers, web application firewalls, and monitoring for suspicious administrative activities. The vulnerability highlights the importance of proper parameter validation and the dangers of relying solely on authentication mechanisms for security boundaries. Organizations should also conduct regular security assessments to identify similar injection vulnerabilities in their web applications and ensure that all administrative interfaces properly validate and sanitize user inputs. The CSRF vector demonstrates the need for comprehensive security controls that address multiple attack surfaces within web applications.