MyBB Timeline Plugin Cross-Site Scripting and Cross-Site Request Forgery Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the MyBB Timeline Plugin version 1.0. This vulnerability allows attackers to inject malicious scripts into thread titles, post content, and user profile fields such as Location and Bio. Additionally, the plugin is susceptible to cross-site request forgery (CSRF) attacks. Exploiting the CSRF vulnerability in the timeline.php profile action can enable an attacker to change a user's cover picture by sending a crafted form that is executed when the victim visits the affected profile.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user, and cross-site request forgery, where an attacker can perform actions on behalf of a user without their consent.

Reproduction

To reproduce the cross-site scripting vulnerability, inject a script payload into a thread title or post content. The script will execute when the profile is viewed. For XSS via profile fields, enter a script payload in the Location or Bio sections. This payload will also execute when the profile is visited. To exploit the cross-site request forgery vulnerability, create a form that submits to the timeline.php profile action, including the necessary fields to change the cover picture. When the victim visits their profile, the form will be submitted automatically, changing the cover picture.