CVE-2018-25250
Published: 04 April 2026
Summary
CVE-2018-25250 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Mybb Last User Threads. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2018-25250 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Last User's Threads in Profile Plugin version 1.2. This plugin, used with the MyBB forum software, fails to properly sanitize thread subjects, allowing attackers to inject malicious script tags into forum threads.
The vulnerability can be exploited by attackers who can create threads with script payloads in the subject field. When users visit the attacker's profile page, which displays the last user's threads via the plugin, the injected scripts execute in the visitors' browsers. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, no privileges or user interaction required, and cross-scope impact with low confidentiality and integrity effects.
Advisories and related resources, including the MyBB community plugin page (https://community.mybb.com/mods.php?action=view&pid=910), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/44339), and a Vulncheck advisory (https://www.vulncheck.com/advisories/mybb-last-user-s-threads-in-profile-plugin-persistent-xss), provide further details on the issue. Published on 2026-04-04, these references document the flaw and associated exploit materials.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21752
Vulnerability details
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that…
more
execute when users visit the attacker's profile page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007), session hijacking via stolen cookies or tokens (T1185/T1539), and exploitation of a public-facing web plugin (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 enforces validation of thread subject inputs to block injection of malicious script tags into forum threads.
SI-15 requires filtering of thread subjects during output on profile pages to prevent execution of injected scripts in visitors' browsers.
SI-2 mandates identification, reporting, and correction of the specific XSS flaw in the MyBB plugin through timely patching.