CVE-2021-47934 Overview
CVE-2021-47934 affects the MyBB Timeline Plugin version 1.0, a third-party extension for the MyBB forum software. The plugin contains multiple stored cross-site scripting (XSS) flaws [CWE-79] across thread titles, post content, and user profile fields including Location and Bio. A cross-site request forgery (CSRF) weakness in the timeline.php profile action also allows attackers to change a victim's cover picture when the victim visits a crafted page. Exploitation requires no authentication from the attacker and no user interaction beyond visiting affected forum content.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript into forum content and silently modify victim profile cover pictures through forged requests.
Affected Products
- MyBB Timeline Plugin 1.0
- MyBB forums with the Timeline Plugin installed
- Any deployment exposing the timeline.php profile action
Discovery Timeline
- 2026-05-16 - CVE-2021-47934 published to the National Vulnerability Database
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47934
Vulnerability Analysis
The MyBB Timeline Plugin fails to sanitize user-supplied input before rendering it within forum pages. Attackers can submit thread titles, post bodies, and profile fields containing JavaScript payloads that execute in the browsers of users who view the content. The stored nature of these XSS flaws means each affected page becomes a delivery vector for arbitrary client-side code.
The plugin also lacks anti-CSRF token validation on the profile action exposed by timeline.php. An attacker can host a malicious form that issues a state-changing request to alter a victim's cover picture when the victim browses the attacker's page while authenticated to the forum. The combined XSS and CSRF surface enables session theft, defacement, and account manipulation across forum users.
Root Cause
The root cause is missing output encoding on user-controlled fields and absent CSRF token enforcement on profile-modifying endpoints. The plugin treats forum input as trusted and renders it directly into HTML contexts without contextual escaping.
Attack Vector
The network-reachable attack vector requires no privileges. For XSS, an attacker posts a thread, reply, or updates profile fields containing a script payload. For CSRF, the attacker lures an authenticated MyBB user to an attacker-controlled page that auto-submits a forged request to timeline.php. Refer to the VulnCheck Advisory: MyBB XSS/CSRF and the Exploit-DB #49467 entry for the original proof of concept.
Detection Methods for CVE-2021-47934
Indicators of Compromise
- Unexpected <script>, onerror=, or onload= strings stored in thread titles, post bodies, or profile Location and Bio fields.
- Outbound requests from forum visitor browsers to unknown domains after rendering specific threads or profiles.
- Mass or unexplained changes to user cover pictures through the timeline.php profile action.
Detection Strategies
- Review the MyBB database tables for thread, post, and user profile rows containing HTML event handlers or script tags.
- Inspect web server access logs for POST requests to timeline.php originating from external Referer headers.
- Compare profile change audit records against expected user activity to surface forged updates.
Monitoring Recommendations
- Alert on web application firewall events that match common XSS payload patterns directed at MyBB forum endpoints.
- Monitor for repeated profile modification requests lacking a valid session-bound CSRF token.
- Track plugin installation inventory to identify forums still running the unsupported Timeline Plugin 1.0.
How to Mitigate CVE-2021-47934
Immediate Actions Required
- Disable or uninstall the MyBB Timeline Plugin 1.0 until a patched version is confirmed available.
- Audit existing thread, post, and profile content for previously injected payloads and remove malicious entries.
- Force a password reset for accounts that may have rendered attacker-controlled content while authenticated.
Patch Information
No official vendor patch is referenced in the available advisory data. Administrators should review the MyBB Plugin Mod listing for plugin status and the VulnCheck Advisory: MyBB XSS/CSRF for remediation guidance.
Workarounds
- Remove the Timeline Plugin from the MyBB inc/plugins directory and clear cached templates.
- Apply a web application firewall rule that strips script tags and event handlers from forum input fields.
- Enforce a Content Security Policy that disallows inline scripts to limit the impact of stored XSS.
- Add server-side validation that rejects state-changing requests to timeline.php missing a valid CSRF token.
# Configuration example: disable the Timeline Plugin on a MyBB installation
cd /var/www/mybb/inc/plugins
mv timeline.php timeline.php.disabled
# Then visit Admin CP > Configuration > Plugins and deactivate Timeline
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
