CVE-2018-25247

MEDIUM

MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25247. PoCs published by 0xB9.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the MyBB Like Plugin 3.0.0, where unsanitized post/thread subjects are rendered in user profiles. The PoC involves injecting a malicious script into a post/thread subject, which executes when viewed in the profile.

Description

MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the viewer's browser.

Exploits (1)

exploitdb WORKING POC

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/45179

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the MyBB Like Plugin 3.0.0, where unsanitized post/thread subjects are rendered in user profiles. The PoC involves injecting a malicious script into a post/thread subject, which executes when viewed in the profile.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB Like Plugin 3.0.0

Auth required

Prerequisites: User must create a post/thread with malicious subject · Post/thread must be liked by another user

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-45179

https://www.exploit-db.com/exploits/45179

Product product

Product Reference

https://community.mybb.com/mods.php?action=view&pid=360

Third Party Advisory third-party-advisory

VulnCheck Advisory: MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles

https://www.vulncheck.com/advisories/mybb-like-plugin-cross-site-scripting-via-user-profiles

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

MyBB/MyBB Like Plugin 3.0.0

mybb/thankyou\/like_system < 3.0.0

Published Apr 04, 2026

Tracked Since Apr 04, 2026