CVE-2018-25249

MEDIUM

MyBB My Arcade Plugin 1.3 Persistent XSS via Comment

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25249. PoCs published by 0xB9.

AI-analyzed exploit summary This is a technical writeup describing a persistent XSS vulnerability in MyBB My Arcade Plugin v1.3. It includes a proof-of-concept payload and references a patch commit.

Description

MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.

Exploits (1)

exploitdb WRITEUP VERIFIED
by 0xB9 · textwebappsphp
https://www.exploit-db.com/exploits/44186

This is a technical writeup describing a persistent XSS vulnerability in MyBB My Arcade Plugin v1.3. It includes a proof-of-concept payload and references a patch commit.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyBB My Arcade Plugin v1.3
Auth required
Prerequisites: User authentication · Ability to play an arcade game and submit a score
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: MyBB My Arcade Plugin 1.3 Persistent XSS via Comment
https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment
Exploit exploit
ExploitDB-44186
https://www.exploit-db.com/exploits/44186

Scores

CVSS v3 6.4
EPSS 0.0025
EPSS Percentile 16.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
mybb/my_arcade 1.3
MyBB/MyBB My Arcade Plugin 1.3
Published Apr 04, 2026
Tracked Since Apr 04, 2026