header-logo
Suggest Exploit
vendor:
MyBB Trending Widget Plugin
by:
0xB9
7.5
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: MyBB Trending Widget Plugin
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10
2018

MyBB Trending Widget Plugin 1.2 – Cross-Site Scripting

This plugin shows the most trending threads. Trending thread titles aren't sanitized to user input. Have a trending thread in the widget and change the thread title to a payload <script>alert('XSS')</script> Anyone that visits the forum will execute payload.

Mitigation:

Sanitize user input and escape special characters.
Source

Exploit-DB raw data:

# Exploit Title: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting
# Date: 11/28/2018
# Author: 0xB9
# Software Link: https://github.com/zainali99/trends-widget
# Version: 1.2
# Tested on: Windows 10

1. Description:
This plugin shows the most trending threads. Trending thread titles aren't sanitized to user input.

2. Proof of Concept:

- Have a trending thread in the widget
- Change the thread title to a payload   <script>alert('XSS')</script>
Anyone that visits the forum will execute payload

Navigation

Suggest Exploit

Services By CQR