CVE-2018-25309 MEDIUM

CVE-2018-25309: MyBB Recent threads 17.0 Persistent Cross-Site Scripting

Vendor Mybb

Product MyBB Recent threads

Weakness CWE-79 · XSS

Published April 29, 2026

Last update May 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.

Key dates

02Disclosure timeline

April 29, 2026 CVE published

May 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-25309 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-6756 Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode CVE-2024-12588 Shortcodes and extra features for Phlox theme <= 2.17.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget CVE-2024-1157 Bold Page Builder <= 4.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL CVE-2006-10001 Subscribe to Comments Plugin subscribe-to-comments.php cross site scripting CVE-2024-3792 Cross-site Scripting vulnerability in WBSAirback