MyBB Downloads Plugin Persistent Cross-Site Scripting Vulnerability
Vulnerability
A persistent cross-site scripting vulnerability has been identified in the MyBB Downloads Plugin version 2.0.3. This vulnerability allows regular members to inject malicious scripts through the download title field. When an administrator validates the download in downloads.php, the injected HTML or JavaScript code is executed, leading to cross-site scripting.
Impact
Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.
Reproduction
To reproduce this vulnerability, a regular member must create a new download in the MyBB Downloads Plugin version 2.0.3. The title of the download should include a script injection, such as a JavaScript event handler. Once the download is submitted, the injected script will execute when an administrator reviews and validates the download.
Remediation
Users are advised to update to the latest version of the MyBB Downloads Plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.