Cyber Posture

CVE-2018-25250

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0003 8.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25250 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mybb Last User Threads. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of thread subject inputs to block injection of malicious script tags into forum threads.

SI-15 Information Output Filtering good match
prevent

SI-15 requires filtering of thread subjects during output on profile pages to prevent execution of injected scripts in visitors' browsers.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification, reporting, and correction of the specific XSS flaw in the MyBB plugin through timely patching.

NVD Description

MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Attackers can create threads with script payloads in the subject field that…

more

execute when users visit the attacker's profile page.

Deeper analysisAI

CVE-2018-25250 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Last User's Threads in Profile Plugin version 1.2. This plugin, used with the MyBB forum software, fails to properly sanitize thread subjects, allowing attackers to inject malicious script tags into forum threads.

The vulnerability can be exploited by attackers who can create threads with script payloads in the subject field. When users visit the attacker's profile page, which displays the last user's threads via the plugin, the injected scripts execute in the visitors' browsers. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects network accessibility, low attack complexity, no privileges or user interaction required, and cross-scope impact with low confidentiality and integrity effects.

Advisories and related resources, including the MyBB community plugin page (https://community.mybb.com/mods.php?action=view&pid=910), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/44339), and a Vulncheck advisory (https://www.vulncheck.com/advisories/mybb-last-user-s-threads-in-profile-plugin-persistent-xss), provide further details on the issue. Published on 2026-04-04, these references document the flaw and associated exploit materials.

Details

CWE(s)
CWE-79

Affected Products

mybb
last user threads
≤ 1.2

CVEs Like This One

CVE-2018-25248Same vendor: Mybb
CVE-2026-2101Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2025-22751Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-67614Shared CWE-79
CVE-2025-23489Shared CWE-79
CVE-2026-23807Shared CWE-79

References