According to security researchers Simon Scannell and Carl Smith, there are critical vulnerabilities in the popular bulletin board software which could have allowed an attacker to get remote code execution (RCE) without having authorized access. The first is a nested auto URL persistent XSS vulnerability (CVE-2021-27889), which flaw stems from how MyBB parses messages with URLs, allowing unprivileged forum user to embed stored XSS payloads into threads and even private messages during the rendering process.
And the second vulnerability is an SQL injection (CVE-2021-27890) in the forum's theme manager which could lead to an authenticated remote code execution (RCE). The successful exploitation happens when an administrator with the "Can manage themes?" permission imports maliciously crafted theme, or a user visits a forum page where the theme has been set.
The vulnerabilities were promptly reported to the MyBB Team, and they subsequently released a patch on March 10, with MyBB software version 1.8.26 to address the issues.
How MyBB Vulnerabilities could have been chained together to achieve remote code execution (RCE)
The MyBB vulnerability could be exploited with minimal interaction by simply saving a maliciously crafted MyCode message on the server as a thread post or Private Message and luring a victim to a page where the content has been parsed.
Alternatively, an attacker could devise an exploit for the Stored XSS vulnerability by sending a private message to a targeted administrator on MyBB board, which as soon as the administrator opens the private message, the exploit will be triggered. And the RCE vulnerability will be automatically exploited in the background leading to a full takeover of the targeted MyBB forum.
The flaws currently affect MyBB forums with versions 1.8.16 and 1.8.25 , which vulnerabilities can be chained together to achieve Remote Code Execution (RCE) without any prior access to a privileged account on default MyBB-configurations.
How to Mitigate the risks associated with the flaws
Aside the two vulnerabilities mentioned above, MyBB latest version 1.8.26 also fixes other four security issues, namely: Improper validation of votes in thread poll options, which leads to SQL injection (CVE-2021-27946), Improper sanitization of data, resulting SQL injection (CVE-2021-27947), additional User Groups ID numbers saved without proper validation in the Admin Control Panel, leading to SQL injection (CVE-2021-27948) and lastly, a reflected XSS vulnerability in custom Moderator Tools (CVE-2021-27949).
Therefore, all MyBB users are hereby recommended to update their software to MyBB version 1.8.26 in order to mitigate the risks associated with the flaws.