MyBB Downloads Plugin 2.0.3 Persistent XSS via downloads.php

Description

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.

Affected Products

Vendor	Product	Versions
mybb	downloads plugin	2.0.3

References

https://www.exploit-db.com/exploits/44400(exploit)
https://community.mybb.com/mods.php?action=view&pid=854(product)
https://www.vulncheck.com/advisories/mybb-downloads-plugin-persistent-xss-via-downloads-php(third-party-advisory)

Related News (1 articles)

Tier C

VulDB15h ago

CVE-2018-25248 | Downloads Plugin 2.0.3 on MyBB Parameter Title cross site scripting (Exploit 44400 / EDB-44400)

→ No new info (linked only)

CVSS 3.17.2 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-79

PublishedApr 4, 2026

Last enriched15h agov2

Trending Score37

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (3)

Version History

Last enriched 15h ago

v2Tier C15h ago

Updated severity to HIGH, marked exploit as available, and noted that the vulnerability is actively exploited.

descriptionseverityexploitAvailableactivelyExploited

via VulDB

v118h ago

Initial creation