Description
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page.
Published: 2026-04-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Cross‑Site Scripting via thread subject injection
Action: Apply Patch
AI Analysis

Impact

A persistent cross‑site scripting flaw exists in MyBB Last User's Threads in Profile Plugin 1.2, allowing an attacker to embed script tags into the subject field of a thread. When other users view the attacker's profile page, the malicious script executes in their browsers, potentially enabling the attacker to steal session tokens, deface content, or redirect users to malicious sites. The weakness is a classic input validation failure that results in unsanitized user‑supplied content being rendered in a browser context.

Affected Systems

The vulnerability affects the MyBB Last User's Threads in Profile Plugin version 1.2 from the MyBB community. No other variants or versions are listed as affected.

Risk and Exploitability

The CVSS base score is 5.1, indicating a moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, implying no known widespread exploitation at this time. The likely attack vector requires the adversary to create a thread with a malicious subject, which typically needs at least member‑level access or the ability to submit threads. Once a thread is created, attackers can target any visitor to the profile page, making the impact potentially wide across users on the affected forum.

Generated by OpenCVE AI on April 4, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed plugin version and compare it to the known vulnerable release.
  • Temporarily disable or remove the MyBB Last User's Threads in Profile Plugin until a patch is released by the plugin author.
  • Monitor the MyBB community forums or the plugin’s author page for an updated, fixed version and apply it promptly.
  • If an update is not available, consider implementing output escaping on the profile page or disabling the subject field to prevent script rendering.

Generated by OpenCVE AI on April 4, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mybb last User Threads
CPEs cpe:2.3:a:mybb:last_user_threads:*:*:*:*:*:mybb:*:*
Vendors & Products Mybb last User Threads

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that execute when users visit the attacker's profile page.
Title MyBB Last User's Threads in Profile Plugin 1.2 Persistent XSS
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Mybb Last User Threads Mybb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:39:34.728Z

Reserved: 2026-04-04T13:24:30.747Z

Link: CVE-2018-25250

cve-icon Vulnrichment

Updated: 2026-04-06T15:39:30.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:21.033

Modified: 2026-04-20T14:31:19.173

Link: CVE-2018-25250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:37Z

Weaknesses