Cross-Site Request Forgery (CSRF) vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS. This issue affects mybb Last Topics: from n/a through <= 1.0.
The CVSS score for this vulnerability is 7.1, indicating a high severity level. Organizations should be aware of the potential risks associated with this vulnerability, as it allows attackers to perform actions on behalf of authenticated users.
Risk to organizations includes the potential for attackers to execute arbitrary scripts in the context of the affected user’s session, leading to sensitive data exposure, unauthorized actions, and compromise of user accounts.
There is currently no known public exploit for this vulnerability, but given its nature and the attack vector being network-based, organizations should prioritize patching immediately.
Vulnerability Details
The Cross-Site Request Forgery (CSRF) vulnerability in mybb Last Topics Plugin allows for stored XSS attacks. It has been classified under CWE-352, indicating that the vulnerability can be exploited through malicious requests made by attackers.
The CVSS score of 7.1 reflects a high severity level, with the attack vector being network-based, requiring low complexity and no privileges, but user interaction is required for exploitation.
This vulnerability was published on January 16, 2025, and has undergone modifications, with the last update recorded on April 23, 2026.
Technical Analysis
The root cause of this vulnerability stems from inadequate validation of requests, allowing attackers to forge unauthorized requests on behalf of users. The attack vector is network-based, which means that an attacker can exploit this vulnerability remotely.
The complexity of the attack is low, requiring no privileges to execute. However, it necessitates user interaction, which could involve tricking the user into clicking on a malicious link or visiting a compromised site.
The impacts of this vulnerability include confidentiality, integrity, and availability effects, albeit at a low level. This means that while the ultimate impact may not be catastrophic, attackers may still leverage this vulnerability to gain unauthorized access or manipulate user data.
Risk & Impact Analysis
Organizations deploying the mybb Last Topics Plugin face significant risks due to this vulnerability. The potential for stored XSS attacks can lead to unauthorized access and data compromise, affecting user trust and organizational reputation.
The blast radius of this vulnerability is considerable, as it can potentially affect all users of the affected plugin. Given these factors, organizations should address this vulnerability in their priority patch cycle.
Considering the CVSS score and the nature of the vulnerability, immediate remediation is crucial. Organizations should ensure that their security teams are aware of the vulnerability and are taking appropriate steps to mitigate the risks.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
This vulnerability affects mybb Last Topics Plugin versions from n/a through <= 1.0. Organizations should ensure they are running the latest version to mitigate the risks associated with this vulnerability.
Mitigation & Remediation
Organizations should prioritize patching this vulnerability by updating to the latest version of mybb Last Topics Plugin. If a patch is unavailable, consider implementing workarounds such as disabling the plugin until a fix is applied.
For additional guidance on maintaining application security, organizations may find value in our application security assessment services.
Detection Guidance
To detect potential exploitation attempts, organizations should monitor logs for unusual request patterns that may indicate CSRF attacks. Additionally, behavioral anomalies within user sessions should be analyzed.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability lies in its demonstration of how CSRF can be leveraged to perform stored XSS attacks. As organizations increasingly depend on plugins for functionality, understanding and mitigating these vulnerabilities is crucial.
This vulnerability represents a broader trend in the exploitation of web application components, emphasizing the need for comprehensive security assessments and proactive vulnerability management strategies.
Security teams are encouraged to stay informed about emerging vulnerabilities and to continually assess their security postures. For more insights on maintaining robust security practices, organizations can explore our penetration testing methodology and vulnerability management program design resources.
By taking a proactive approach to security, organizations can effectively mitigate risks associated with vulnerabilities like CVE-2025-23749.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)