Description
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MyBB Timeline Plugin version 1.0 contains cross‑site scripting flaws that let attackers inject malicious scripts into thread titles, post content, and profile fields such as Location and Bio. In addition, the timeline.php profile action is vulnerable to cross‑site request forgery, enabling an attacker to craft a form that changes a user’s cover picture when the victim visits the affected profile. These weaknesses allow the execution of arbitrary client‑side code in any browser that renders the content. The potential consequences, such as session hijacking, credential theft, or page defacement, are inferred from the nature of XSS and are not explicitly stated in the advisory.

Affected Systems

The affected product is the MyBB Timeline Plugin, version 1.0, distributed by MyBB. No other product variants or versions are listed.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate impact. The vulnerability is exploitable over the network via the web interface and requires a victim to view the compromised content. Because no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is uncertain and depends largely on attacker activity in online forums. The CSRF vector expands the threat because any authenticated user could become a victim if they visit a malicious link or form, though the flaw does not provide direct remote code execution on the server.

Generated by OpenCVE AI on May 16, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MyBB Timeline Plugin to the latest version that addresses XSS and CSRF vulnerabilities.
  • If no update is available, disable or remove the Timeline Plugin to eliminate the attack surface.
  • Ensure that thread titles, post content, and profile fields are properly sanitized and that all form submissions include valid CSRF tokens.

Generated by OpenCVE AI on May 16, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles.
Title MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF
First Time appeared Mybb
Mybb mybb
Weaknesses CWE-79
CPEs cpe:2.3:a:mybb:mybb:1.0:*:*:*:*:*:*:*
Vendors & Products Mybb
Mybb mybb
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Mybb Mybb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:03.991Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47934

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:21.267

Modified: 2026-05-16T16:16:21.267

Link: CVE-2021-47934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T18:15:28Z

Weaknesses