CVE-2021-43281

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.29

Description The issue allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.

Recommendations For MyBB versions prior to 1.8.29, update to version 1.8.29 or later to resolve the issue. As a temporary workaround, consider restricting the "Can manage settings?" permission to minimize the risk of exploitation.