CVE-2018-25250
Persistent XSS in MyBB Last User's Threads Plugin
Publication date: 2026-04-04
Last updated on: 2026-04-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mybb | last_user_threads | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute malicious scripts in the context of users visiting the affected profile page. This can lead to theft of user credentials, session hijacking, or other malicious activities performed by the injected script.
Since the vulnerability is persistent, the malicious script remains stored and executes every time the profile page is viewed, potentially affecting multiple users.
Can you explain this vulnerability to me?
The MyBB Last User's Threads in Profile Plugin version 1.2 contains a persistent cross-site scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize the thread subject input, allowing attackers to inject malicious JavaScript code.
An attacker can create a thread with a specially crafted subject containing script tags. When users visit the attacker's profile page, the injected script executes, which can lead to various malicious actions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious script tags in the thread subject fields displayed on user profile pages. Specifically, you can look for threads with subjects containing script tags such as <script> or similar payloads.
A practical way to detect this is to manually inspect user profile pages for unexpected JavaScript execution or to search the database for thread subjects containing suspicious script tags.
- Use a database query to find thread subjects containing script tags, for example (SQL): SELECT * FROM threads WHERE subject LIKE '%<script>%';
- Use web crawling or automated scanning tools to visit user profile pages and detect if any JavaScript alerts or unexpected scripts execute.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the available patch that properly sanitizes the thread subject input to prevent script injection.
If patching is not immediately possible, consider disabling the 'Last User's Threads in Profile' plugin version 1.2 to prevent the vulnerability from being exploited.
Additionally, review and sanitize all user-generated content fields to remove or encode script tags and other potentially malicious input.