Escanear grátis
HIGHCVE-2018-25250CVSS 7.2

MyBB Last User's Threads in Profile Plugin 1.2 XSS Persistente

Plataforma

php

Componente

last-users-threads-in-profile

AI Confidence: highNVDEPSS 0.0%Revisado: mai. de 2026
Ver no NVD
Salvar
Traduzindo para o seu idioma…

CVE-2018-25250 describes a persistent cross-site scripting (XSS) vulnerability found in the MyBB Last User's Threads in Profile Plugin. This flaw allows attackers to inject malicious scripts into a user's profile page, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.2 through 1.2 of the plugin, and a fix is available via plugin update.

Impacto e Cenários de Ataquetraduzindo…

An attacker can exploit this XSS vulnerability by crafting thread subjects containing malicious script tags. When a user visits the attacker's profile page, the embedded script executes within the user's browser context. This allows the attacker to steal cookies, redirect the user to a malicious website, or modify the content of the profile page. The impact can range from simple annoyance to complete account compromise, depending on the attacker's payload and the user's privileges.

Contexto de Exploraçãotraduzindo…

CVE-2018-25250 was publicly disclosed on 2026-04-04. There are currently no known active campaigns exploiting this specific vulnerability, but XSS vulnerabilities are frequently targeted. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.

Quem Está em Riscotraduzindo…

Administrators and users of MyBB forums who have installed the Last User's Threads in Profile Plugin versions 1.2–1.2 are at risk. Shared hosting environments where multiple MyBB instances are hosted on the same server are particularly vulnerable, as a compromise of one instance could potentially lead to the compromise of others.

Passos de Detecçãotraduzindo…

• wordpress / composer / npm:

grep -r "<script" /var/www/mybb/plugins/lastusersthreads/

• generic web:

curl -I https://your-mybb-site.com/profile.php?uid=1 | grep Content-Type

Linha do Tempo do Ataque

  1. Disclosure

    disclosure

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetAlta

EPSS

0.03% (percentil 9%)

CISA SSVC

Exploraçãopoc
Automatizávelyes
Impacto Técnicopartial

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N7.2HIGHAttack VectorNetworkComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredNoneNível de autenticação necessárioUser InteractionNoneSe a vítima precisa tomar uma açãoScopeChangedImpacto além do componente afetadoConfidentialityLowRisco de exposição de dados sensíveisIntegrityLowRisco de modificação não autorizada de dadosAvailabilityNoneRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Nenhum — sem autenticação necessária para explorar.
User Interaction
Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope
Alterado — o ataque pode pivotar para além do componente vulnerável.
Confidentiality
Baixo — acesso parcial ou indireto a alguns dados.
Integrity
Baixo — o atacante pode modificar alguns dados com alcance limitado.
Availability
Nenhum — sem impacto na disponibilidade.

Software Afetado

Componentelast-users-threads-in-profile
FornecedorMyBB
Faixa afetadaCorrigido em
1.2 – 1.2

Classificação de Fraqueza (CWE)

CWE-79

Linha do tempo

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS atualizado
Sem correção — 50 dias desde a divulgação

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2018-25250 is to upgrade the MyBB Last User's Threads in Profile Plugin to a patched version. If upgrading is not immediately feasible, consider implementing input validation on thread subjects to sanitize potentially malicious characters. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review MyBB forums and security advisories for updates and further guidance.

Como corrigirtraduzindo…

Actualice el plugin MyBB Last User's Threads in Profile a la última versión disponible, ya que esta corrige la vulnerabilidad XSS.  Verifique la página de descargas del plugin o el foro de la comunidad MyBB para obtener la actualización más reciente.  Además, asegúrese de que su instalación de MyBB esté actualizada a la última versión estable.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2018-25250 — XSS in MyBB Last User's Threads Plugin?

CVE-2018-25250 is a cross-site scripting (XSS) vulnerability affecting the MyBB Last User's Threads in Profile Plugin, allowing attackers to inject malicious scripts into user profiles.

Am I affected by CVE-2018-25250 in MyBB Last User's Threads Plugin?

You are affected if you are using MyBB Last User's Threads in Profile Plugin versions 1.2–1.2. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2018-25250 in MyBB Last User's Threads Plugin?

Upgrade the MyBB Last User's Threads in Profile Plugin to the latest available version. Input validation and WAF rules can provide temporary mitigation.

Is CVE-2018-25250 being actively exploited?

There are currently no confirmed reports of active exploitation, but XSS vulnerabilities are frequently targeted, and exploitation is possible.

Where can I find the official MyBB advisory for CVE-2018-25250?

Refer to the MyBB forums and security advisories for the latest information and updates regarding CVE-2018-25250.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs