MyBB Threads to Link Plugin 1.3 CVE-2018-10365 – Cross-Site Scripting

Authors:0XB9                 Risk:High

CVE:CVE-2018-10365          0day:Cross-Site Scripting

0day -id:0DAY-176106         Date:2018-04-27


A problem was found in MyBB Threads to Link Plugin 1.3 Plugin 1.4.5. Cross-Site Scripting exists in the name field.


# Exploit Title: MyBB Threads to Link Plugin v1.3 - Persistent XSS
# Date: 3/15/2018
# Author: 0xB9
# Contact: or 0xB9[at]
# Software Link:
# Version: v1.3
# Tested on: Ubuntu 17.10
CVE: CVE-2018-10365

Persistent XSS
- Edit a thread or post you've made
- At the bottom of the edit page in the Thread Link box input the following <a """><SCRIPT>alert("XSS")</SCRIPT>">
- Now visit the forum your thread/post exists in to see the alert.


The plugin has since been removed after notifying the author.

Patch in line 83:
$thread['tlink'] = ($thread['tlink']);
$thread['tlink'] = htmlspecialchars_uni($thread['tlink']);

Leave a Reply