CVE-2018-25247

MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

In short

MyBB Like Plugin 3.0.0 allows logged-in users to inject malicious scripts into post titles, which then execute when other users view profiles showing liked posts. This can steal personal data or perform unwanted actions on behalf of the viewer.

Technical detail

Stored XSS vulnerability in MyBB Like Plugin 3.0.0 where authenticated attackers inject JavaScript via post/thread subjects; the vulnerability is triggered when victims view a profile displaying the attacker's liked posts with unescaped subject rendering, resulting in arbitrary script execution in the victim's browser context.

Summary generated and translated by AI from the official description.

MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the viewer's browser.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

MyBB · MyBB Like Plugin

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/45179unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.mybb.com/mods.php?action=view&pid=360 https://www.exploit-db.com/exploits/45179 https://www.vulncheck.com/advisories/mybb-like-plugin-cross-site-scripting-via-user-profiles