CVE-2021-47934

MEDIUM

MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47934. PoCs published by 0xB9.

AI-analyzed exploit summary The exploit demonstrates XSS and CSRF vulnerabilities in MyBB Timeline Plugin 1.0. It provides functional payloads for XSS via thread/post, location/bio, and a CSRF form to change the timeline banner.

Description

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles.

Exploits (1)

exploitdb WORKING POC

by 0xB9 · textwebappsphp

https://www.exploit-db.com/exploits/49467

View Code ZIP pw:eip

The exploit demonstrates XSS and CSRF vulnerabilities in MyBB Timeline Plugin 1.0. It provides functional payloads for XSS via thread/post, location/bio, and a CSRF form to change the timeline banner.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: MyBB Timeline Plugin 1.0

Auth required

Prerequisites: User account with permission to create threads/posts or edit profile · Victim interaction for XSS execution

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-49467

https://www.exploit-db.com/exploits/49467

Product product

Product Reference

https://community.mybb.com/mods.php?action=view&pid=1428

Third Party Advisory third-party-advisory

VulnCheck Advisory: MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF

https://www.vulncheck.com/advisories/mybb-timeline-plugin-cross-site-scripting-and-csrf

Scores

CVSS v3 5.3

EPSS 0.0023

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

MyBB/MyBB Timeline Plugin 1.0

Published May 16, 2026

Tracked Since May 16, 2026