CVE-2023-46251

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.37

Description The issue arises from custom MyCode (BBCode) for the visual editor ( SCEditor ) not escaping input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active and operates on a maliciously crafted MyCode message. The impact can occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.

Recommendations For MyBB versions prior to 1.8.37, upgrade to version 1.8.37 to resolve the issue. As a temporary workaround, consider disabling the visual editor globally by setting Clickable Smilies and BB Code → Clickable MyCode Editor to Off in the Admin CP. Alternatively, individual users can disable the visual editor by unchecking the Show the MyCode formatting options on the posting pages checkbox in their User CP.