CVE-2018-25250
MyBB Last User's Threads in Profile Plugin 1.2 Persistent XSS
In short
A plugin for MyBB allows attackers to inject harmful scripts into thread subjects. When other users view the attacker's profile, these scripts run in their browsers without permission.
Technical detail
Persistent XSS vulnerability in MyBB Last User's Threads in Profile Plugin 1.2 via unfiltered thread subject input. Attackers craft malicious thread subjects containing script tags; these execute in the context of any user visiting the attacker's profile, potentially enabling session hijacking or credential theft without user interaction beyond viewing the profile.
Summary generated and translated by AI from the official description.
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
MyBB · MyBB Last User's Threads in Profile Pluginpublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/44339unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →