Cyber Resilience

CVE-2018-25309

MediumPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.6th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25309 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Dragonexpert Recent Threads On Index. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2018-25309 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Recent Threads plugin version 17.0. The flaw arises when attackers inject malicious scripts through crafted subject lines in threads, as the plugin fails to properly sanitize or escape script tags in the subject parameter displayed on the index page.

Any unauthenticated attacker (per CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, score 7.2) capable of creating threads can exploit this by embedding script tags in the subject field. Once created, the malicious payload executes arbitrary JavaScript in the browsers of all users who view the forum's index page, potentially leading to session hijacking, data theft, or further compromise within the victim's browser context.

Mitigation details are available in related advisories and resources, including the MyBB community mod page at https://community.mybb.com/mods.php?action=view&pid=191, an Exploit-DB entry at https://www.exploit-db.com/exploits/44420, and a VulnCheck advisory at https://www.vulncheck.com/advisories/mybb-recent-threads-persistent-cross-site-scripting.

EU & UK References

Vulnerability details

MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in…

more

the browsers of all users viewing the index page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing web plugin directly enables exploitation of the application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

dragonexpert
recent threads on index
17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like thread subject lines to ensure they conform to expected syntax and semantics, directly preventing injection of malicious script tags.

prevent

SI-15 mandates filtering information outputs prior to display on pages like the index, preventing execution of injected scripts in users' browsers.

preventrecover

SI-2 ensures timely identification, reporting, and patching of flaws like this persistent XSS vulnerability in the MyBB plugin.

References