Executive Summary

This vulnerability is a cross-site scripting (XSS) flaw in the MyBB Delete Account Plugin version 1.4. It occurs in the account deletion reason input field, where attackers can inject malicious scripts. These scripts execute in the administrative interface when viewing the reasons for account deletion, due to improper sanitization of user input. [2, 3]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to execute arbitrary JavaScript in the context of the administrative interface. This can lead to session hijacking, defacement, or other malicious actions by executing injected scripts when an administrator views the deletion reasons. It poses a medium severity risk with potential impacts on confidentiality and integrity, but no direct availability impact. [2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the account deletion reason input field in the MyBB Delete Account Plugin version 1.4 for XSS injection. A practical approach is to input a test payload such as `<script>alert('XSS')</script>` in the deletion reason field under User CP -> Delete Account and then check if the script executes in the admin interface when viewing delete account reasons. There are no specific network commands provided, but manual testing of the input field for script injection is recommended. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the Delete Account Plugin in the MyBB Admin Control Panel to prevent exploitation. Administrators should avoid viewing deletion reasons until a patch or update is applied. Additionally, input validation and sanitization should be implemented on the deletion reason field to prevent script injection. If possible, update or patch the plugin to a version that addresses this vulnerability or remove the plugin until a fix is available. [1, 2]

Useful 0 Not Useful 0