CVE-2018-25309
Published: 29 April 2026
Summary
CVE-2018-25309 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Dragonexpert Recent Threads On Index. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2018-25309 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the MyBB Recent Threads plugin version 17.0. The flaw arises when attackers inject malicious scripts through crafted subject lines in threads, as the plugin fails to properly sanitize or escape script tags in the subject parameter displayed on the index page.
Any unauthenticated attacker (per CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, score 7.2) capable of creating threads can exploit this by embedding script tags in the subject field. Once created, the malicious payload executes arbitrary JavaScript in the browsers of all users who view the forum's index page, potentially leading to session hijacking, data theft, or further compromise within the victim's browser context.
Mitigation details are available in related advisories and resources, including the MyBB community mod page at https://community.mybb.com/mods.php?action=view&pid=191, an Exploit-DB entry at https://www.exploit-db.com/exploits/44420, and a VulnCheck advisory at https://www.vulncheck.com/advisories/mybb-recent-threads-persistent-cross-site-scripting.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21830
Vulnerability details
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in…
more
the browsers of all users viewing the index page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web plugin directly enables exploitation of the application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs like thread subject lines to ensure they conform to expected syntax and semantics, directly preventing injection of malicious script tags.
SI-15 mandates filtering information outputs prior to display on pages like the index, preventing execution of injected scripts in users' browsers.
SI-2 ensures timely identification, reporting, and patching of flaws like this persistent XSS vulnerability in the MyBB plugin.