Over 100 Vulnerabilities Patched in MyBB in Past 5 Years

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.


According to MyBB developers, 103 vulnerabilities have been patched in the 1.8.x branch since its release in 2014. Nearly three quarters of these flaws were reported through MyBB’s security program and 19 percent were discovered internally. The vulnerabilities were patched across 19 security releases.


In total, the developers revealed, more than 270 vulnerabilities were found and patched in MyBB since the release of version 1.0 in 2005.


A total of 50 people discovered vulnerabilities in MyBB 1.8, and 40% of them reported two or more valid issues. Vulnerabilities found in MyBB can be reported through the organization’s Private Inquiries forum, which has been used to submit most reports, and email.


As for the types of security holes found in MyBB 1.8, developers said the most common was cross-site scripting (XSS), with 49 cases of persistent, reflected and DOM-based XSS. The second most common types of vulnerabilities were improper access control and SQL injection, with 7 cases each.


Other types of flaws included code injection, information exposure, cross-site request forgery (CSRF), path traversal, improper input validation, small space of random values, and server-side request forgery (SSRF).


In terms of risk, only a dozen vulnerabilities were classified as high risk; 33 were rated medium risk and 58 low risk.


According to MyBB, 49 flaws could be exploited by low-privileged users, 22 required moderator or user permissions, and 32 required admin permissions for successful exploitation.



“A rundown of recently remediated weaknesses suggest that MyBB forums with a common configuration, running on version 1.8.20 or older, can be breached with minimal interaction of unsuspecting forum administrators, through the ex ..

Support the originator by clicking the read the rest link below.