CVE-2018-25247
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in MyBB Like Plugin 3.0.0 Allows Script Injection

Publication date: 2026-04-04

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the viewer's browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25247
EUVD
EUVD-2018-21746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mybb thankyou/like_system to 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows remote attackers to execute arbitrary scripts in the context of other users who view the attacker's profile page. The impact includes potential session hijacking and other malicious actions that can compromise user accounts or data. Since the attack requires user interaction (viewing the profile), it can be exploited over the network with low attack complexity and no privileges required.

Executive Summary

CVE-2018-25247 is a cross-site scripting (XSS) vulnerability in MyBB Like Plugin version 3.0.0. It occurs because the plugin does not properly sanitize user input in post or thread subject fields. Attackers can create posts or threads with malicious script tags in the subject. When other users view the attacker's profile page, where liked posts are displayed without sanitization, the malicious scripts execute.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious script tags in post or thread subject fields, especially those displayed in user profiles where liked posts appear without sanitization.

A practical approach is to review the subject content of posts or threads for suspicious input such as <script> tags.

Since this is a web application vulnerability, detection involves inspecting the web interface or database entries for injected scripts.

  • Use a web proxy tool (e.g., Burp Suite) to intercept and analyze HTTP requests and responses for script injection in post subjects.
  • Run a database query to search for script tags in post or thread subject fields, for example (assuming MySQL): SELECT * FROM posts WHERE subject LIKE '%<script>%';
  • Manually visit user profiles with liked posts and observe if any alert boxes or unexpected scripts execute, indicating XSS.
Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user input in post and thread subject fields to prevent script injection.

Since the vulnerability arises from lack of input sanitization, applying patches or updates from the plugin developer that fix this issue is recommended.

If no patch is available, consider temporarily disabling the Like Plugin or restricting user permissions to prevent creation of posts or threads with malicious subjects.

Additionally, educate users to avoid clicking on suspicious profiles or posts until the issue is resolved.

Compliance Impact

The vulnerability allows attackers to inject and execute malicious scripts in other users' browsers by exploiting unsanitized input in post or thread subjects. This can lead to session hijacking or other malicious actions.

Such cross-site scripting (XSS) vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access to personal data or compromise the confidentiality and integrity of user information.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart