CVE-2018-25248

HIGH

MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25248. PoCs published by 0xB9.

AI-analyzed exploit summary The exploit describes a persistent XSS vulnerability in MyBB Downloads Plugin v2.0.3, where an attacker can inject malicious JavaScript into the title field of a new download, which executes when an admin reviews it. The proof of concept is straightforward and relies on user input being rendered without proper sanitization.

Description

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.

Exploits (1)

exploitdb WRITEUP

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/44400

View Code ZIP pw:eip

The exploit describes a persistent XSS vulnerability in MyBB Downloads Plugin v2.0.3, where an attacker can inject malicious JavaScript into the title field of a new download, which executes when an admin reviews it. The proof of concept is straightforward and relies on user input being rendered without proper sanitization.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB Downloads Plugin v2.0.3

Auth required

Prerequisites: User account with permission to create downloads · Admin interaction to review the download

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

VulnCheck Advisory: MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php

https://www.vulncheck.com/advisories/mybb-downloads-plugin-persistent-xss-via-downloads-php

Exploit exploit

ExploitDB-44400

https://www.exploit-db.com/exploits/44400

Product product

Product Reference

https://community.mybb.com/mods.php?action=view&pid=854

Scores

CVSS v3 7.2

EPSS 0.0022

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

MyBB/MyBB Downloads Plugin 2.0.3

mybb/mybb_downloads 2.0.3

Published Apr 04, 2026

Tracked Since Apr 04, 2026