CVE-2021-47905
Cross-Site Scripting in MyBB Delete Account Plugin Admin Interface
Publication date: 2026-01-23
Last updated on: 2026-04-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mybb | delete_account | 1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) flaw in the MyBB Delete Account Plugin version 1.4. It occurs in the account deletion reason input field, where attackers can inject malicious scripts. These scripts execute in the administrative interface when viewing the reasons for account deletion, due to improper sanitization of user input. [2, 3]
How can this vulnerability impact me? :
The vulnerability allows attackers to execute arbitrary JavaScript in the context of the administrative interface. This can lead to session hijacking, defacement, or other malicious actions by executing injected scripts when an administrator views the deletion reasons. It poses a medium severity risk with potential impacts on confidentiality and integrity, but no direct availability impact. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the account deletion reason input field in the MyBB Delete Account Plugin version 1.4 for XSS injection. A practical approach is to input a test payload such as `<script>alert('XSS')</script>` in the deletion reason field under User CP -> Delete Account and then check if the script executes in the admin interface when viewing delete account reasons. There are no specific network commands provided, but manual testing of the input field for script injection is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the Delete Account Plugin in the MyBB Admin Control Panel to prevent exploitation. Administrators should avoid viewing deletion reasons until a patch or update is applied. Additionally, input validation and sanitization should be implemented on the deletion reason field to prevent script injection. If possible, update or patch the plugin to a version that addresses this vulnerability or remove the plugin until a fix is available. [1, 2]