CVE-2018-25250
Received Received - Intake
Persistent XSS in MyBB Last User's Threads Plugin

Publication date: 2026-04-04

Last updated on: 2026-04-20

Assigner: VulnCheck

Description
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25250
EUVD
EUVD-2018-21752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mybb last_user_threads to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers to execute malicious scripts in the context of users visiting the affected profile page. This can lead to theft of user credentials, session hijacking, or other malicious activities performed by the injected script.

Since the vulnerability is persistent, the malicious script remains stored and executes every time the profile page is viewed, potentially affecting multiple users.

Executive Summary

The MyBB Last User's Threads in Profile Plugin version 1.2 contains a persistent cross-site scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize the thread subject input, allowing attackers to inject malicious JavaScript code.

An attacker can create a thread with a specially crafted subject containing script tags. When users visit the attacker's profile page, the injected script executes, which can lead to various malicious actions.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious script tags in the thread subject fields displayed on user profile pages. Specifically, you can look for threads with subjects containing script tags such as <script> or similar payloads.

A practical way to detect this is to manually inspect user profile pages for unexpected JavaScript execution or to search the database for thread subjects containing suspicious script tags.

  • Use a database query to find thread subjects containing script tags, for example (SQL): SELECT * FROM threads WHERE subject LIKE '%<script>%';
  • Use web crawling or automated scanning tools to visit user profile pages and detect if any JavaScript alerts or unexpected scripts execute.
Mitigation Strategies

The immediate mitigation step is to apply the available patch that properly sanitizes the thread subject input to prevent script injection.

If patching is not immediately possible, consider disabling the 'Last User's Threads in Profile' plugin version 1.2 to prevent the vulnerability from being exploited.

Additionally, review and sanitize all user-generated content fields to remove or encode script tags and other potentially malicious input.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart