CVE-2023-53979
Published: 22 December 2025
Summary
CVE-2023-53979 is a high-severity Path Traversal (CWE-22) vulnerability in Mybb Mybb. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the chained path traversal and RCE vulnerability in MyBB 1.8.32 by applying vendor patches or upgrades.
Enforces validation of upload path inputs and file contents to block path traversal and malicious PHP-embedded image uploads.
Restricts access to configuration change tools for upload paths and language settings, preventing authenticated admins from enabling the exploit chain.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2023-53979 enables exploitation of a public-facing web application (MyBB) via path traversal and malicious file upload with embedded PHP, facilitating web shell-like remote code execution.
NVD Description
MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.
Deeper analysisAI
CVE-2023-53979 is a chained vulnerability affecting MyBB version 1.8.32, a popular open-source forum software. It allows authenticated administrators to bypass restrictions on avatar uploads and achieve arbitrary code execution. The exploit chain involves modifying upload path settings, uploading a malicious image file embedded with PHP code, and executing commands through the language configuration editing interface. The vulnerability is associated with CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
The attack requires low privileges—an authenticated administrator account—and can be carried out remotely without user interaction. An attacker with admin access can alter upload configurations to store files outside intended directories, embed executable PHP in an image, and trigger code execution via the language editor interface. This leads to full remote code execution on the server, potentially enabling full system compromise, data theft, or further persistence.
Advisories from sources like Vulncheck detail the chained local file inclusion and RCE issues, while the MyBB official site provides relevant security resources. An exploit is publicly available on Exploit-DB (ID 51213), and a related CVE-2022-45867 is referenced in the record. Practitioners should consult these for patch information and upgrade to mitigated versions of MyBB.
Details
- CWE(s)