| There is an sql injection vulnerability in *miniform* module which is a default module installed in the *WBCE* cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file /modules/miniform/ajax_delete_message.php there is no authentication check. On line |40| in this file, there is a |DELETE| query that is vulnerable, an attacker could jump from the query using tick sign. |
