CVE-2018-25249

MyBB My Arcade Plugin 1.3 Persistent XSS via Comment

CVSS 5.1 MEDIUMEPSS 0.3%CWE-79

In short

MyBB My Arcade Plugin 1.3 allows logged-in users to insert malicious code into game score comments that runs when others view or edit them. This can steal user data or perform unwanted actions in their accounts.

Technical detail

Persistent XSS vulnerability in the arcade game score comments functionality accepts unsanitized user input from authenticated attackers. The injected JavaScript executes in the browsers of users who access or modify the affected comments, enabling session hijacking or credential theft.

Summary generated and translated by AI from the official description.

MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

MyBB · MyBB My Arcade Plugin

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/44186unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.mybb.com/mods.php?action=view&pid=411 https://www.exploit-db.com/exploits/44186 https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment