CVE-2018-25249
Received Received - Intake
Persistent XSS in MyBB My Arcade Plugin via Score Comments

Publication date: 2026-04-04

Last updated on: 2026-04-10

Assigner: VulnCheck

Description
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25249
EUVD
EUVD-2018-21751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mybb my_arcade 1.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25249 is a persistent cross-site scripting (XSS) vulnerability found in the MyBB My Arcade Plugin version 1.3 and earlier. It allows authenticated users to inject malicious HTML and JavaScript code into arcade game score comments.

When other users view or edit these comments, the injected scripts execute, potentially compromising their security.

The vulnerability exists because the comment input field does not properly sanitize user input, enabling attackers to insert crafted scripts that persistently execute.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they view or edit compromised comments.

Such script execution can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the payload.

Because the vulnerability requires authenticated user privileges to inject scripts, it can be exploited by users with legitimate access to the forum.

Detection Guidance

This vulnerability can be detected by inspecting the comments in the MyBB My Arcade Plugin for the presence of malicious HTML or JavaScript code injected into arcade game score comments.

A practical approach is to search the database or web interface for suspicious script tags or unusual HTML in the comment fields.

  • Use SQL queries to find comments containing script tags, for example: SELECT * FROM myarcade_comments WHERE comment LIKE '%<script>%';
  • Use web application security scanners or manual testing by adding crafted comments with script tags and observing if they execute when viewed or edited.
  • Monitor HTTP traffic for suspicious payloads in POST requests to the comment submission endpoints.
Mitigation Strategies

The immediate mitigation step is to upgrade the MyBB My Arcade Plugin to version 1.3.1 or later, where the vulnerability has been patched by properly sanitizing user input in the comment field.

If upgrading is not immediately possible, restrict authenticated users' ability to add or edit comments in the arcade plugin to trusted users only.

Implement web application firewall (WAF) rules to detect and block common XSS payloads in comment submissions.

Educate users to be cautious when viewing or editing arcade game score comments until the patch is applied.

Compliance Impact

The provided information does not specify any direct impact of the MyBB My Arcade Plugin persistent XSS vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart