Description
MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the attacker's profile, where liked posts are displayed without sanitization.
Published: 2026-04-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side XSS
Action: Disable plugin
AI Analysis

Impact

MyBB Like Plugin 3.0.0 contains a flaw that allows attackers to embed malicious script tags in post subjects. When other members look at the attacker’s profile, the plugin displays liked posts without sanitizing the subject field, so the script executes in their browser. This type of client‑side cross‑site scripting can be used to steal cookies, deface pages, or redirect.

Affected Systems

The vulnerability is limited to the MyBB Like Plugin version 3.0.0 installed on MyBB forum software. No other releases or plugins are listed as affected in the available CNA data.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity for a client‑side flaw. No EPSS information is supplied and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to create or modify a post with a crafted subject—usually a registered user with posting rights. Once a forum member views the affected profile, the injected script runs automatically, compromising confidentiality and potentially enabling session hijacking, but it does not require remote code execution on the server or network‑level access.

Generated by OpenCVE AI on April 4, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the MyBB Like Plugin until a vendor patch becomes available
  • Ensure that any remaining post subjects are escaped or encoded before rendering in the user interface
  • Monitor user activity for suspicious post content and review logs for signs of exploitation

Generated by OpenCVE AI on April 4, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mybb thankyou\/like System
CPEs cpe:2.3:a:mybb:thankyou\/like_system:*:*:*:*:*:mybb:*:*
Vendors & Products Mybb thankyou\/like System

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mybb mybb Like Plugin
Vendors & Products Mybb mybb Like Plugin
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the attacker's profile, where liked posts are displayed without sanitization.
Title MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:3.0.0:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mybb Mybb Mybb Like Plugin Thankyou\/like System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:59:16.411Z

Reserved: 2026-04-04T13:21:58.860Z

Link: CVE-2018-25247

cve-icon Vulnrichment

Updated: 2026-04-06T18:59:03.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:20.500

Modified: 2026-04-20T14:30:36.060

Link: CVE-2018-25247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:40Z

Weaknesses