Description
MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.
Published: 2026-04-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via malicious download titles
Action: Apply Patch
AI Analysis

Impact

The MyBB Downloads Plugin 2.0.3 contains a persistent cross‑site scripting flaw that lets any regular member inject JavaScript or HTML into the title field when creating a new download. When an administrator later approves the download through downloads.php, the injected code executes in the administrator’s browser. This can lead to session hijacking, credential theft, or defacement within the site’s administrative interface.

Affected Systems

All sites running MyBB Downloads Plugin version 2.0.3 are vulnerable. The flaw targets the title field of the downloads.php interface and does not require elevated privileges to exploit, as any regular member can submit a malicious title.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity attack, and the EPSS score of less than 1% signals a low probability of automated exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because the attack vector is web‑based input validation, an attacker only requires web access and a valid user account to create the malicious download, making it relatively easy to execute. The impact is limited to administrative sessions but can be leveraged to compromise site control if the admin’s session is hijacked.

Generated by OpenCVE AI on April 10, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor administrative logs for unusual script execution or changes to download titles and perform regular code reviews of custom plugins

Generated by OpenCVE AI on April 10, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mybb mybb Downloads
CPEs cpe:2.3:a:mybb:mybb_downloads:2.0.3:*:*:*:*:mybb:*:*
Vendors & Products Mybb mybb Downloads

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mybb mybb Downloads Plugin
Vendors & Products Mybb mybb Downloads Plugin

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.
Title MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:2.0.3:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mybb Mybb Mybb Downloads Mybb Downloads Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:28:20.813Z

Reserved: 2026-04-04T13:22:18.496Z

Link: CVE-2018-25248

cve-icon Vulnrichment

Updated: 2026-04-06T15:08:22.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:20.683

Modified: 2026-04-10T21:21:02.997

Link: CVE-2018-25248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:59Z

Weaknesses