CVE-2019-3501

MEDIUM

ougc_awards < 1.8.19 - Stored Cross-Site Scripting via Award Reason

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-3501. PoCs published by 0xB9.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the OUGC Awards plugin for MyBB. The vulnerability allows admins or moderators to inject malicious scripts via the 'reason' field when granting awards, which executes when viewed on awards.php or user profiles.

Description

The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.

Exploits (1)

exploitdb WRITEUP

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/46080

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in the OUGC Awards plugin for MyBB. The vulnerability allows admins or moderators to inject malicious scripts via the 'reason' field when granting awards, which executes when viewed on awards.php or user profiles.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB OUGC Awards Plugin v1.8.3

Auth required

Prerequisites: Moderator or admin access to MyBB forum

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46080/

Third Party Advisory x_refsource_misc

https://github.com/Sama34/OUGC-Awards/pull/31

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/Sama34/OUGC-Awards/issues/29

Scores

CVSS v3 4.8

EPSS 0.0235

EPSS Percentile 81.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

ougc_awards_project/ougc_awards < 1.8.19

Published Jan 02, 2019

Tracked Since Feb 18, 2026