Volerion logoVolerion
Volerion logoVolerion

Ultimate PHP Board Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in Ultimate PHP Board version 2.2.7. The issue arises in the 'lostpassword.php' file, specifically through the 'u_name' parameter, which is echoed back to users without adequate sanitization. This vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or credential theft.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, which could be used to hijack sessions or steal credentials.

Reproduction

To reproduce this vulnerability, navigate to the password recovery page of the forum. Enter a payload consisting of a script tag, such as an alert script, into the username field. When the form is submitted, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Added: Oct 16, 2025, 3:21 PM
Updated: Oct 16, 2025, 8:26 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.4
exploitability
7.9
remediation
0.0
relevance
0.7
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.