CVE-2021-39338

Name of the Vulnerable Software and Affected Versions: MyBB Cross-Poster WordPress plugin versions up to and including 1.0

Description: The issue arises from insufficient input validation and sanitization via several parameters in the ~/classes/MyBBXPSettings.php file, allowing attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled.

Recommendations: For versions up to and including 1.0, update to a version that addresses the insufficient input validation and sanitization issue. As a temporary workaround, consider restricting access to the ~/classes/MyBBXPSettings.php file to minimize the risk of exploitation. Restrict the use of parameters in the ~/classes/MyBBXPSettings.php file that are used for input validation and sanitization until a patch is available.