Cyber Resilience

CVE-2018-25250

MediumPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.1th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25250 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Mybb Last User Threads. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2018-25250 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Last User's Threads in Profile Plugin version 1.2. This plugin, used with the MyBB forum software, fails to properly sanitize thread subjects, allowing attackers to inject malicious script tags into forum threads.

The vulnerability can be exploited by attackers who can create threads with script payloads in the subject field. When users visit the attacker's profile page, which displays the last user's threads via the plugin, the injected scripts execute in the visitors' browsers. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, no privileges or user interaction required, and cross-scope impact with low confidentiality and integrity effects.

Advisories and related resources, including the MyBB community plugin page (https://community.mybb.com/mods.php?action=view&pid=910), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/44339), and a Vulncheck advisory (https://www.vulncheck.com/advisories/mybb-last-user-s-threads-in-profile-plugin-persistent-xss), provide further details on the issue. Published on 2026-04-04, these references document the flaw and associated exploit materials.

EU & UK References

Vulnerability details

MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that…

more

execute when users visit the attacker's profile page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007), session hijacking via stolen cookies or tokens (T1185/T1539), and exploitation of a public-facing web plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2018-25248Same vendor: Mybb
CVE-2025-67949Shared CWE-79
CVE-2024-56033Shared CWE-79
CVE-2025-23549Shared CWE-79
CVE-2026-27072Shared CWE-79
CVE-2026-27068Shared CWE-79
CVE-2025-59542Shared CWE-79
CVE-2025-26989Shared CWE-79
CVE-2026-28103Shared CWE-79
CVE-2026-26266Shared CWE-79

Affected Assets

mybb
last user threads
≤ 1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces validation of thread subject inputs to block injection of malicious script tags into forum threads.

prevent

SI-15 requires filtering of thread subjects during output on profile pages to prevent execution of injected scripts in visitors' browsers.

prevent

SI-2 mandates identification, reporting, and correction of the specific XSS flaw in the MyBB plugin through timely patching.

References