MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability.
advisories | CVE-2022-28354
# Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting
# Date: February 9, 2022
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1336
# Version: 1.3.0
# Tested On: Windows 10
# CVE: CVE-2022-28354
This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.
Proof of Concept: