MEDIUM SeverityCVSS 4.06.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

CVE-2021-47934

Last updated May 16, 2026 · Published May 16, 2026

Description

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles.

Affected products

1 listed

MyBB:MyBB Timeline Plugin

Mappings

CWE

CWE-79

CAPEC

None listed.

Research

Cross-Site Scripting (XSS)Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention…
Cross-site request forgery (CSRF): how it works and how to defend itCross-site request forgery (CSRF) lets attackers reuse a victim's session cookie from another site. SameSite…
Session management: secure cookies, rotation, and lifetimeSession management is the spine of authenticated web apps. Use HttpOnly, Secure, SameSite cookies, rotate on…

Guides

Secure session management: cookies, tokens, rotation, and logoutSecure session management means HttpOnly Secure cookies, rotation on privilege change, idle and absolute…

Training

XSS in React, Vue and Server ComponentsCross-site scripting in modern component frameworks and how to prevent it.
Session ManagementTokens, cookies, and state - keeping sessions secure in stateless architectures.

CVE-2021-47934

Description

Affected products

Mappings

Related