MyBB Latest Posts On Profile 1.1 - Cross Site Scripting

Summary

    MyBB is a very good free forum software in the world. Its biggest feature is simple but its function is surprisingly powerful. MyBB's general functions have the following aspects: 1. An unlimited number of members, sections, posts, topics. 2. MySQL Fulltext full-text search (MySQL 4.1+). 3. Multiple copies share a database. 4. Use our intuitive template and theme system to fully personalize. 5. If you wish, you can install a whole bunch of different language packs in your forum. 6. Developed using PHP language, compatible with MySQL, PgSQL, and SQLite v2 and v3 database servers. MyBB Latest Posts On Profile is a MyBB plugin that can be used to display the user's latest post in the user's profile.
    The use of cross-site scripting vulnerabilities of this plug-in is very simple. In the process of a user creating a new article, the XSS code is injected into the subject of the article. When the user accesses his own personal data, the XSS code will be executed.

Solution

1.At present, the manufacturer has not provided a patch or an upgrade procedure. We recommend that users who use this software keep an eye on the vendor's homepage to obtain the latest version:
https://community.mybb.com/mods.php?action=view&pid=914
2.Customers who buy the next-generation firewall of Sangfor can turn on the WAF defense module to easily defend against such XSS vulnerabilities