CVE-2018-25248— MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2018-25248
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MyBB(MyBulletinBoard) 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MyBB(MyBulletinBoard)是MyBB团队的一套用PHP和MySQL开发的免费且基于Web的论坛软件。该软件具有简单易用、支持多国语言、可扩展等特点。 MyBB(MyBulletinBoard) 2.0.3版本存在跨站脚本漏洞,该漏洞源于下载标题字段未正确清理输入,可能导致普通成员通过下载标题参数注入恶意脚本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MyBB | MyBB Downloads Plugin | 2.0.3 | - |
II. Public POCs for CVE-2018-25248
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2018-25248
请登录查看更多情报信息。
Same Patch Batch · MyBB · 2026-04-04 · 4 CVEs total
| CVE-2018-25250 | 7.2 HIGH | MyBB Last User's Threads in Profile Plugin 1.2 Persistent XSS |
| CVE-2018-25249 | 6.4 MEDIUM | MyBB My Arcade Plugin 1.3 Persistent XSS via Comment |
| CVE-2018-25247 | 6.1 MEDIUM | MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profiles |
IV. Related Vulnerabilities
Same vendor: MyBB
- CVE-2018-25309
MyBB Recent threads 17.0 Persistent Cross-Site Scripting - CVE-2018-25250
MyBB Last User's Threads in Profile Plugin 1.2 Persistent XS - CVE-2018-25249
MyBB My Arcade Plugin 1.3 Persistent XSS via Comment - CVE-2018-25247
MyBB Like Plugin 3.0.0 Cross-Site Scripting via User Profile - CVE-2023-53978
myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Ann
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2018-25248
No comments yet