CVE-2022-39265

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.31

Description The issue in MyBB allows access to sensitive information and Remote Code Execution (RCE) through the mail parameters setting value in the Mail Settings → Additional Parameters for PHP's mail() function, in connection with the configured mail program's options and behavior. This requires Admin CP access with the Can manage settings? permission and may depend on configured file permissions.

Recommendations For MyBB versions prior to 1.8.31, upgrade to version 1.8.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the Admin CP and limiting the Can manage settings? permission to minimize the risk of exploitation.