CVE-2018-17128

MEDIUM

MyBB < 1.8.19 - Stored Cross-Site Scripting via Video MyCode in Visual Editor

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-17128. PoCs published by Numan OZDEMIR.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in MyBB Visual Editor up to version 1.8.18, where the 'videotype' parameter in video embeds can be manipulated to execute arbitrary JavaScript in a victim's browser when they interact with a malicious post.

Description

A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

Exploits (1)

exploitdb WRITEUP

by Numan OZDEMIR · textwebappsphp

https://www.exploit-db.com/exploits/45449

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in MyBB Visual Editor up to version 1.8.18, where the 'videotype' parameter in video embeds can be manipulated to execute arbitrary JavaScript in a victim's browser when they interact with a malicious post.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB Visual Editor <= 1.8.18

Auth required

Prerequisites: Attacker must have the ability to create or edit a post in the MyBB forum · Victim must interact with the malicious post using the visual editor

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45449/

Scores

CVSS v3 5.4

EPSS 0.7475

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

mybb/mybb < 1.8.19

Published Sep 17, 2018

Tracked Since Feb 18, 2026