CVE-2018-10365

An attacker can exploit this vulnerability by editing a thread or post they have made. In the "Thread Link" box on the edit page, the attacker inputs a payload containing script tags, such as `<a """><SCRIPT>alert("XSS")</SCRIPT></a>`. When another user visits the forum where this thread/post exists, the injected script will execute, leading to a persistent XSS attack [ref_id=1].

The vulnerability exists in the Threads to Link plugin version 1.3 for MyBB. Specifically, the issue lies within the handling of the thread link input when a user edits a thread. The patch indicates the affected line is 83, where the `tlink` variable is processed before being displayed [ref_id=1].

The patch modifies line 83 to include `htmlspecialchars_uni()` when processing the thread link. This function properly sanitizes the input by converting special characters into their HTML entity equivalents, preventing the browser from interpreting the input as executable script code. This change effectively mitigates the cross-site scripting vulnerability by ensuring that user-supplied thread links are displayed as plain text rather than being rendered as active HTML or script [ref_id=1].

- Edit a thread or post you've made - At the bottom of the edit page in the Thread Link box input the following `<a """><SCRIPT>alert("XSS")</SCRIPT></a>` - Now visit the forum your thread/post exists in to see the alert. [ref_id=1]