CVE-2018-25249

MEDIUM

MyBB My Arcade Plugin 1.3 Persistent XSS via Comment

Title source: cna

Description

MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.

Exploits (1)

exploitdb WRITEUP VERIFIED

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/44186

View Code ZIP pw:eip

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

VulnCheck Advisory: MyBB My Arcade Plugin 1.3 Persistent XSS via Comment

https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment

Exploit exploit

ExploitDB-44186

https://www.exploit-db.com/exploits/44186

Product product

Product Reference

https://community.mybb.com/mods.php?action=view&pid=411

Scores

CVSS v3 6.4

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

mybb/my_arcade 1.3

MyBB/MyBB My Arcade Plugin 1.3

Published Apr 04, 2026

Tracked Since Apr 04, 2026