Description
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.
Published: 2026-04-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Persistent cross‑site scripting was discovered in the MyBB My Arcade Plugin version 1.3. The flaw allows an authenticated user to insert arbitrary HTML or JavaScript into score comments; when another user views or edits the comment, the malicious code is executed in that user’s browser, potentially stealing session cookies, defacing the site, or redirecting users to malicious sites.

Affected Systems

The vulnerability affects installations that run the MyBB My Arcade Plugin 1.3; the plugin’s integration with MyBB 1.3 makes the core forum software indirectly susceptible. Any site that has installed the plugin in its current version without applying a fix is impacted.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the medium severity range, and the EPSS score below 1 % indicates a low probability of current exploitation. Because the attack requires authentication, only users with login privileges can inject the payload, yet the resulting XSS can compromise all other forum users that view the vulnerable comment. The vulnerability is not listed in CISA’s KEV catalog, which suggests limited observed exploitation, but the potential for credential theft and defacement warrants moderately high vigilance.

Generated by OpenCVE AI on April 10, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyBB My Arcade Plugin to a version that resolves the persistent XSS flaw or remove the plugin if no update is available.
  • Restrict comment posting and editing permissions for the Arcade plugin to trusted administrators only.
  • If an upgrade can’t be performed immediately, disable the score comment feature within the plugin to block injection points.
  • Monitor forum activity logs for repeated XSS attempts and review user accounts for unusual behavior.

Generated by OpenCVE AI on April 10, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mybb my Arcade
CPEs cpe:2.3:a:mybb:my_arcade:1.3:*:*:*:*:mybb:*:*
Vendors & Products Mybb my Arcade

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mybb mybb My Arcade Plugin
Vendors & Products Mybb mybb My Arcade Plugin

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.
Title MyBB My Arcade Plugin 1.3 Persistent XSS via Comment
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:1.3:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mybb My Arcade Mybb Mybb My Arcade Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T13:27:13.858Z

Reserved: 2026-04-04T13:23:08.958Z

Link: CVE-2018-25249

cve-icon Vulnrichment

Updated: 2026-04-06T13:27:08.097Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:20.860

Modified: 2026-04-10T21:20:51.960

Link: CVE-2018-25249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:58Z

Weaknesses