VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2015· Updated May 6, 2026

CVE-2014-10034

CVE-2014-10034

Description

Multiple SQL injection vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to execute arbitrary SQL commands via the (1) iDisplayLength or (2) iDisplayStart parameter to (a) comments_paginate.php or (b) stores_paginate.php in admin/ajax/.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

couponPHP before 1.2.0 allows SQL injection via iDisplayLength and iDisplayStart parameters in admin/ajax/comments_paginate.php and stores_paginate.php, leading to arbitrary SQL commands.

Vulnerability

The vulnerability exists in the admin area of couponPHP versions before 1.2.0. The iDisplayLength and iDisplayStart parameters in /admin/ajax/comments_paginate.php and /admin/ajax/stores_paginate.php are not sanitized before being used in SQL queries, allowing remote attackers with admin access to inject arbitrary SQL commands. [1], [2]

Exploitation

An attacker must have administrative access to the couponPHP backend. The attack involves crafting a GET request to either comments_paginate.php or stores_paginate.php with malicious SQL injected into the iDisplayLength or iDisplayStart parameters. For example, appending a single quote and SQL code to iDisplayLength can trigger the injection. [2]

Impact

Successful exploitation allows an authenticated admin attacker to execute arbitrary SQL commands, potentially leading to disclosure or modification of database contents, including user credentials and sensitive site data. This can result in a full compromise of the application's database. [1], [2]

Mitigation

The vendor released version 1.2.0 to fix this vulnerability. Users should upgrade to couponPHP 1.2.0 or later. No workarounds are documented. The vulnerability is not listed in CISA's KEV. [1], [2]

References
  1. Zero Science Lab — Macedonian Information Security Research & Development Laboratory
  2. OffSec’s Exploit Database Archive

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Couponphp/Couponphp2 versions
    cpe:2.3:a:couponphp:couponphp:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:couponphp:couponphp:*:*:*:*:*:*:*:*range: <=1.1.0
    • (no CPE)range: <1.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.