A high-severity vulnerability has been identified in MyBB forum software, allowing a low-privileged user to execute malicious code by setting a crafted user title. When an administrator views the attacker's profile, this code runs in their browser, potentially enabling the attacker to hijack the administrator's session and gain complete control over the entire forum. This could lead to data theft, website defacement, and further attacks against the forum's user base.

This is a stored Cross-Site Scripting (XSS) vulnerability within the Admin Control Panel (Admin CP). An authenticated attacker with low privileges (e.g., any registered user) can insert a malicious script into the "Custom User Title" field of their profile. The application fails to properly sanitize this input before it is rendered in the Admin CP. When a high-privileged user, such as an administrator, views the attacker's profile page within the Admin CP, the stored malicious script is executed in the context of the administrator's browser session.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a full compromise of the MyBB forum. An attacker could hijack an administrator's session to perform any action the administrator is authorized to do, including creating new admin accounts, deleting or modifying content, accessing sensitive user data (such as emails and private messages), and installing malicious plugins. The potential consequences include significant data breaches, reputational damage, loss of user trust, and the use of the compromised forum to distribute malware to its visitors.

Immediate Action: Immediately upgrade all MyBB instances to version 1.8.37 or a later version where this vulnerability is patched. After applying the update, carefully review administrator action logs and web server access logs for any suspicious activity that may have occurred prior to patching, such as unauthorized user promotions or unexpected configuration changes.

Proactive Monitoring: Monitor web server logs for POST requests to user profile pages (member.php) that contain common XSS payloads, script tags (<script>), or HTML event handlers (e.g., onerror, onload) within the custom title field. Configure alerts for unusual administrative actions, especially those originating from unfamiliar IP addresses or occurring outside of normal business hours.

Compensating Controls: If patching is not immediately possible, consider implementing a Web Application Firewall (WAF) with rulesets designed to block XSS attacks. As a temporary measure, you could also disable the "Custom User Title" feature for users forum-wide. Implementing a strict Content Security Policy (CSP) can also help mitigate the execution of untrusted inline scripts.

Public Exploit Available: True

Given the high CVSS score of 8.8, the public availability of exploit code, and the low attacker privilege required, this vulnerability poses a critical risk to the organization. The potential for a complete forum takeover necessitates immediate action. Although this CVE is not listed on the CISA KEV catalog, its impact and exploitability warrant the highest remediation priority. We strongly recommend that all teams responsible for MyBB instances apply the vendor-supplied security update without delay to prevent a full compromise of the platform and its user data.