MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting

EDB-ID: 44795
Author: 0xB9
Published: 2018-05-29
CVE: CVE-2018-11532
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 5/25/2018 
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]
# Software Link:
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532

1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.

2. Proof of Concept:
Create a new thread with the following payload as the title <svg onload=alert('XSS')>

The alert will appear on the index page

3. Solution:
Update to the latest release

Related Posts