Osanda Malith, an independent security researcher has released his new findings in a blog post yesterday. He demonstrated a newly found zero-day that allows an attacker to inject code into Mybb’s search.php file via a POST XSS exploit.
In the blog post, he writes “This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.”
After injection, Mybb spits out a SQL error:
You can view the POC video here:
You can get the POC script here: