SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter.
https://www.exploit-db.com/exploits/3630
https://exchange.xforce.ibmcloud.com/vulnerabilities/33372