Cyber Posture

CVE-2018-25248

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0003 9.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25248 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mybb Mybb Downloads. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs such as the download title field to block injection of malicious HTML/JavaScript by regular members.

SI-15 Information Output Filtering good match
prevent

Mandates filtering of information outputs like the download title when displayed to administrators in downloads.php to prevent execution of injected scripts.

SI-2 Flaw Remediation good match
prevent

Directs identification, testing, and deployment of fixes or patches for the specific XSS flaw in MyBB Downloads Plugin 2.0.3.

NVD Description

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators…

more

validate the download in downloads.php.

Deeper analysisAI

CVE-2018-25248 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Downloads Plugin version 2.0.3. The flaw resides in the download title field within downloads.php, where attackers can inject malicious HTML or JavaScript code. Published on 2026-04-04, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting high severity due to its network accessibility, low complexity, lack of required privileges, no user interaction, and scope change.

Regular members of a MyBB forum can exploit this vulnerability by submitting a new download entry with malicious scripts embedded in the title parameter. The injected code persists and executes in the administrator's browser context when they validate the pending download via downloads.php, potentially leading to session hijacking, data theft, or further compromise of the admin account.

Advisories and related resources, including the MyBB community mod page (https://community.mybb.com/mods.php?action=view&pid=854), an Exploit-DB entry (https://www.exploit-db.com/exploits/44400), and a VulnCheck advisory (https://www.vulncheck.com/advisories/mybb-downloads-plugin-persistent-xss-via-downloads-php), provide further details on the issue and proof-of-concept exploitation. Security practitioners should consult these for mitigation guidance, such as plugin updates or input sanitization.

Details

CWE(s)
CWE-79

Affected Products

mybb
mybb downloads
2.0.3

CVEs Like This One

CVE-2018-25250Same vendor: Mybb
CVE-2026-2101Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2025-22751Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-67614Shared CWE-79
CVE-2025-23489Shared CWE-79
CVE-2026-23807Shared CWE-79

References