CVE-2022-28353
Description
External Redirect Warning Plugin 1.3 for MyBB is vulnerable to reflected XSS via the redirect URL parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
External Redirect Warning Plugin 1.3 for MyBB is vulnerable to reflected XSS via the redirect URL parameter.
Vulnerability
The External Redirect Warning Plugin version 1.3 for MyBB contains a cross-site scripting (XSS) vulnerability in the redirect URL parameter (external.php?url=). An attacker can inject arbitrary JavaScript into this parameter, which will be executed in the context of the victim's browser when the crafted link is visited [1], [2].
Exploitation
An attacker does not need any special privileges or authentication to exploit this vulnerability. The attacker crafts a malicious URL pointing to the vulnerable external.php script with a JavaScript payload in the url parameter and convinces a victim to click the link (e.g., via phishing, forum post, or direct message). The MyBB server does not sanitize or validate the input before reflecting it in the page [2].
Impact
Successful exploitation results in reflected XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data including cookies and forum credentials [1], [2].
Mitigation
As of the latest available references, no patch has been released for this vulnerability. Administrators are advised to disable the External Redirect Warning Plugin or apply input sanitization manually until a fixed version is provided [1], [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MyBB/External Redirect Warning Plugindescription
- Range: = 1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.