CVE-2018-14724

MEDIUM

MyBB Ban List Plugin 1.0 - Stored Cross-Site Scripting via Ban Reason Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-14724. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in MyBB's Bans List plugin (v1.0), where a moderator can inject malicious JavaScript into the ban reason field, which executes when other users view the bans.php page.

Description

In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page.

Exploits (1)

exploitdb WORKING POC

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/46347

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in MyBB's Bans List plugin (v1.0), where a moderator can inject malicious JavaScript into the ban reason field, which executes when other users view the bans.php page.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB Bans List plugin v1.0

Auth required

Prerequisites: moderator account · access to ban functionality

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46347

Scores

CVSS v3 5.4

EPSS 0.0070

EPSS Percentile 48.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

mybb/ban_list 1.0

Published Mar 21, 2019

Tracked Since Feb 18, 2026