{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25249", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-04T13:23:08.958Z", "datePublished": "2026-04-04T13:51:14.111Z", "dateUpdated": "2026-04-06T13:27:13.858Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-04T19:59:59.185Z"}, "datePublic": "2018-02-21T00:00:00.000Z", "title": "MyBB My Arcade Plugin 1.3 Persistent XSS via Comment", "descriptions": [{"lang": "en", "value": "MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "MyBB", "product": "MyBB My Arcade Plugin", "versions": [{"version": "1.3", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mybb:mybb:1.3:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/44186", "name": "ExploitDB-44186", "tags": ["exploit"]}, {"url": "https://community.mybb.com/mods.php?action=view&pid=411", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: MyBB My Arcade Plugin 1.3 Persistent XSS via Comment", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment"}], "credits": [{"lang": "en", "value": "0xB9", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:26:59.952278Z", "id": "CVE-2018-25249", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:27:13.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25249", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:26:59.952278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:27:08.097Z"}}], "cna": {"title": "MyBB My Arcade Plugin 1.3 Persistent XSS via Comment", "credits": [{"lang": "en", "type": "finder", "value": "0xB9"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MyBB", "product": "MyBB My Arcade Plugin", "versions": [{"status": "affected", "version": "1.3"}]}], "datePublic": "2018-02-21T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/44186", "name": "ExploitDB-44186", "tags": ["exploit"]}, {"url": "https://community.mybb.com/mods.php?action=view&pid=411", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment", "name": "VulnCheck Advisory: MyBB My Arcade Plugin 1.3 Persistent XSS via Comment", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mybb:mybb:1.3:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-04T19:59:59.185Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25249", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:27:13.858Z", "dateReserved": "2026-04-04T13:23:08.958Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-04T13:51:14.111Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment."}], "id": "CVE-2018-25249", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-04T14:16:20.860", "references": [{"source": "disclosure@vulncheck.com", "url": "https://community.mybb.com/mods.php?action=view&pid=411"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/44186"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "mybb", "vendor": "mybb"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MyBB My Arcade Plugin", "source": "cna", "vendor": "MyBB"}, "product": "mybb_my_arcade_plugin", "vendor": "mybb"}], "analysis": {"en": {"generated_at": "2026-04-04T17:22:39.812203+00:00", "value": {"mitigation_remediation": ["Check for an updated version of the MyBB My Arcade Plugin on the official plugin repository and apply the patch or upgrade to the latest release. If no update is available, remove or disable the plugin entirely. As a temporary mitigation, restrict or filter comment content to disallow script tags and sanitize user input before storage. If unable to update or filter, block access to the game\u2011score comment functionality until a secure solution is deployed."], "summary": {"action": "Apply Patch", "impact": "Persistent Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The flaw appears in the MyBB My Arcade Plugin version 1.3. Present only in the MyBB forum platform when this specific plugin version is installed.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that allows any authenticated user of the MyBB My Arcade Plugin to insert malicious HTML and JavaScript into game\u2011score comments. When any other user views or edits the comment, the injected script runs in that user\u2019s browser. This can be leveraged to steal session information, deface content, or deliver further attacks in the context of the compromised account.", "risk_and_exploitability": "The CVSS score of 5.1 classifies the risk as moderate. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker be authenticated to the forum, so the attack vector is limited to authenticated web access. Once a malicious comment is posted, any visitor who views or edits that comment is affected, providing a broad impact within the legitimate user base."}}}}, "created": "2026-04-06T20:27:03.077797+00:00", "updated": "2026-04-06T21:57:38.861820+00:00", "vendors": ["mybb", "mybb$PRODUCT$mybb", "mybb$PRODUCT$mybb_my_arcade_plugin"]}