Security Experts:

Connect with us

Hi, what are you looking for?



Over 100 Vulnerabilities Patched in MyBB in Past 5 Years

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.

According to MyBB developers, 103 vulnerabilities have been patched in the 1.8.x branch since its release in 2014. Nearly three quarters of these flaws were reported through MyBB’s security program and 19 percent were discovered internally. The vulnerabilities were patched across 19 security releases.

In total, the developers revealed, more than 270 vulnerabilities were found and patched in MyBB since the release of version 1.0 in 2005.

A total of 50 people discovered vulnerabilities in MyBB 1.8, and 40% of them reported two or more valid issues. Vulnerabilities found in MyBB can be reported through the organization’s Private Inquiries forum, which has been used to submit most reports, and email.

As for the types of security holes found in MyBB 1.8, developers said the most common was cross-site scripting (XSS), with 49 cases of persistent, reflected and DOM-based XSS. The second most common types of vulnerabilities were improper access control and SQL injection, with 7 cases each.

Other types of flaws included code injection, information exposure, cross-site request forgery (CSRF), path traversal, improper input validation, small space of random values, and server-side request forgery (SSRF).

In terms of risk, only a dozen vulnerabilities were classified as high risk; 33 were rated medium risk and 58 low risk.

According to MyBB, 49 flaws could be exploited by low-privileged users, 22 required moderator or user permissions, and 32 required admin permissions for successful exploitation.

MyBB vulnerabilities

“A rundown of recently remediated weaknesses suggest that MyBB forums with a common configuration, running on version 1.8.20 or older, can be breached with minimal interaction of unsuspecting forum administrators, through the exploitation of an XSS & Code Injection weakness,” MyBB developers explained.

“Moreover, boards running 1.8.18 or older may be damaged with no interaction whatsoever by attackers escalating permissions of their own accounts to the administrator user group, as a result of an especially fatal SQL Injection vulnerability within the sign-up process. These points of peak exposure underline the importance of keeping live MyBB forums easy to update (e.g. by avoiding core file modifications, in favor of plugin hooks) and performing actual upgrades as soon as they’re released,” they added.

MyBB believes that changes made in the upcoming 1.9 version and general security improvements in web browsers will lead to fewer vulnerabilities in the future.

Related: MyBB Says Hacker Didn’t Access User Data, Source Code

Related: SQL Injection Vulnerability Patched in IP.Board Forum Software

Related: Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.