Description
MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the viewer's browser.
Published: 2026-04-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MyBB Like Plugin 3.0.0 has a stored cross‑site scripting flaw that allows an authenticated user to insert script payloads into post or thread subjects. When other forum members view the attacker’s profile, the plugin renders the un‑sanitized subject, which causes the script to execute in the viewer’s browser. This client‑side exploitation can be used to steal session cookies, deface pages, or redirect traffic.

Affected Systems

The vulnerability is limited to the MyBB Like Plugin version 3.0.0 installed on MyBB forum software. No other releases or plugins are listed as affected in the available CNA data.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity for a client‑side flaw. The EPSS score of < 1% indicates low but non‑zero chance of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to create or modify a post or thread with a crafted subject—usually an authenticated user with posting rights. Once a forum member views the affected profile, the injected script runs automatically, compromising confidentiality and potentially enabling session hijacking, but it does not require remote code execution on the server or network‑level access.

Generated by OpenCVE AI on May 26, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the MyBB Like Plugin until a vendor patch becomes available
  • Ensure that any remaining post subjects are escaped or encoded before rendering in the user interface
  • Monitor user activity for suspicious post content and review logs for signs of exploitation

Generated by OpenCVE AI on May 26, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the attacker's profile, where liked posts are displayed without sanitization. MyBB Like Plugin 3.0.0 contains a stored cross-site scripting vulnerability. Authenticated attackers can inject script payloads into post or thread subjects; when other users view a profile that displays the attacker's liked posts, the unsanitized subject is rendered, executing the script in the viewer's browser.

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mybb thankyou\/like System
CPEs cpe:2.3:a:mybb:thankyou\/like_system:*:*:*:*:*:mybb:*:*
Vendors & Products Mybb thankyou\/like System

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mybb mybb Like Plugin
Vendors & Products Mybb mybb Like Plugin
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the attacker's profile, where liked posts are displayed without sanitization.
Title MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:3.0.0:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mybb Mybb Mybb Like Plugin Thankyou\/like System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:40:59.740Z

Reserved: 2026-04-04T13:21:58.860Z

Link: CVE-2018-25247

cve-icon Vulnrichment

Updated: 2026-04-06T18:59:03.666Z

cve-icon NVD

Status : Modified

Published: 2026-04-04T14:16:20.500

Modified: 2026-05-26T00:16:43.783

Link: CVE-2018-25247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')