MyBB Visual Editor 1.8.18 Cross Site Scripting

MyBB Visual Editor versions 1.8.18 and below suffer from a cross site scripting vulnerability.

MD5 | 893adb3c1017a595010aefc716d0483e

[+] Title: MyBB Visual Editor Stored XSS <= v1.8.18
[+] Author: Numan OZDEMIR
[+] Vendor Homepage:
[+] Software Link:
[+] Version: Up to v1.8.18. Fixed in v1.8.19.
[+] PoC Video:
[+] CVE: CVE-2018-17128
[+] Discovered by Numan OZDEMIR in InfinitumIT Labs
[+] [email protected] - [email protected]

[~] Description:

Attacker can run JavaScript codes in victim user's browser while victim
is replying a post.
'videotype' section causes this.

[~] How to Reproduce:

1)- Enter to thread posting page. (newthread.php, enter title and
2)- Click "insert a video" command. Select any source and insert any
3)- Edit the video source with your payload.
Or, directly add this code:

4)- Post the thread.

While victim user replying your post, his browser will run JavaScript.
Vulnerable pages:
and all Visual Editor embedded pages.

// for secure days...

Related Posts