CVE-2018-11502

MEDIUM

Moderator Log Notes 1.1 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-11502. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in MyBB Moderator Log Notes Plugin 1.1, allowing an attacker to delete mod notes and logs via crafted HTML with hidden image tags. The PoC triggers unauthorized actions by leveraging the lack of CSRF tokens in the plugin's admin and modCP endpoints.

Description

An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.

Exploits (1)

exploitdb WORKING POC
by 0xB9 · textwebappsphp
https://www.exploit-db.com/exploits/45224

This exploit demonstrates a CSRF vulnerability in MyBB Moderator Log Notes Plugin 1.1, allowing an attacker to delete mod notes and logs via crafted HTML with hidden image tags. The PoC triggers unauthorized actions by leveraging the lack of CSRF tokens in the plugin's admin and modCP endpoints.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: MyBB Moderator Log Notes Plugin 1.1
Auth required
Prerequisites: Victim must be authenticated as a moderator or admin · Victim must visit the malicious HTML page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45224/

Scores

CVSS v3 6.5
EPSS 0.0192
EPSS Percentile 77.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352
Status published
Products (1)
moderator_log_notes_project/moderator_log_notes 1.1
Published Aug 24, 2018
Tracked Since Feb 18, 2026