Authored by 0xB9

MyBB Export User plugin version 2.0 suffers from a cross site scripting vulnerability.

advisories | CVE-2023-27890

# Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting
# Date: January 29, 2021
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link:
# Version: 2.0
# Tested On: Windows 10
# CVE: CVE-2023-27890

This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.

Proof of Concept:

– As a regular user go to User CP -> Edit Profile
– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>
– Request your data via User CP -> DSGVO data request
– Login as admin you will be notified a user wants their data
– When generating the users data their payload will execute