MyBB My Arcade Plugin 1.3 Persistent XSS via Comment

Description

MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Attackers can add crafted HTML and JavaScript payloads in the comment field that execute when other users view or edit the comment.

Affected Products

Vendor	Product	Versions
mybb	my arcade plugin	1.3

References

https://www.exploit-db.com/exploits/44186(exploit)
https://community.mybb.com/mods.php?action=view&pid=411(product)
https://www.vulncheck.com/advisories/mybb-my-arcade-plugin-persistent-xss-via-comment(third-party-advisory)

Related News (1 articles)

Tier C

VulDB15h ago

CVE-2018-25249 | My Arcade Plugin 1.3 on MyBB Comment cross site scripting (Exploit 44186 / EDB-44186)

→ No new info (linked only)

CVSS 3.16.4 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-79

PublishedApr 4, 2026

Last enriched15h agov2

Trending Score37

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (3)

Version History

Last enriched 15h ago

v2Tier C15h ago

Updated severity to HIGH and marked the vulnerability as actively exploited with an available exploit.

severityexploitAvailableactivelyExploited

via VulDB

v118h ago

Initial creation