CVE-2021-47934

Vulnerability

MyBB Timeline Plugin 1.0 contains multiple cross-site scripting (XSS) vulnerabilities in thread titles, post content, and user profile fields (Location and Bio). Additionally, a cross-site request forgery (CSRF) vulnerability exists in the timeline.php?action=profile endpoint, allowing an attacker to change a user's cover picture. These issues affect version 1.0 of the plugin [1][3].

Exploitation

For XSS, an attacker can inject a script payload (e.g., `) into a thread title or post content, or into the Location or Bio fields via the User CP. The payload executes when any user visits the attacker's profile. For CSRF, an attacker crafts a malicious form that submits a new cover picture URL to timeline.php?action=profile&uid=1 with do_coverpic=change`. If a logged-in victim visits a page containing this form, their cover picture is changed without their consent [1].

Impact

Successful XSS allows arbitrary JavaScript execution in the context of the victim's browser, potentially leading to session hijacking, defacement, or further attacks. The CSRF enables an attacker to modify the victim's profile cover picture, causing unauthorized visual changes. No privilege escalation is reported; the attacker operates at the victim's user level [1][3].

Mitigation

As of the available references, no official patch has been released for MyBB Timeline Plugin 1.0. Users should consider disabling the plugin or implementing input sanitization and CSRF tokens. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][3].