CVE-2023-28467

MEDIUM

MyBB < 1.8.34 - Stored Cross-Site Scripting via User CP Email Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-28467. PoCs published by ahmetaltuntas.

AI-analyzed exploit summary This repository documents a persistent XSS vulnerability in MyBB 1.8.33, where an authenticated user can inject malicious HTML via the email field in the User CP module. The payload is triggered when accessing the User CP Home page.

Description

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

Exploits (1)

nomisec WRITEUP 4 stars
by ahmetaltuntas · poc
https://github.com/ahmetaltuntas/CVE-2023-28467

This repository documents a persistent XSS vulnerability in MyBB 1.8.33, where an authenticated user can inject malicious HTML via the email field in the User CP module. The payload is triggered when accessing the User CP Home page.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: MyBB < 1.8.34
Auth required
Prerequisites: Authenticated user access to MyBB User CP
MITRE ATT&CK
mistral-large-3 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 6.1
EPSS 0.0051
EPSS Percentile 40.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
mybb/mybb < 1.8.34
Published May 22, 2023
Tracked Since Feb 18, 2026