These submissions have been marked as vulnerable due to potential security issues with the plugin. This list contains the name of the plugin, the author and a short description regarding its vulnerability. Please bear in mind that the sole purpose of this page is to inform users to avoid these plugins and to help authors address these issues.

Vulnerable Submissions

Minecraft Crafting MyCode

by chack1172 Version: 1.2 4 Downloads 05-28-2017, 01:56 PM

Staff Notes:

XSS: [item=10;item da craftare]')"onclick="alert('test');" [/item]

Reputation Given

by Eldenroot Version: 1.0 1 Download 01-21-2017, 11:21 AM

Staff Notes:

XSS: #666"><script type="text/javascript">alert("hi");</script> (from settings)

Warning Threads

by Ircher Version: 1.0b 5 Downloads 10-10-2016, 03:55 PM

Staff Notes:

Allows SQL injection: $tid = $db->simple_select( 'threads', 'tid', 'subject = \''.$user['username'].'\' AND fid = \''.$fid.'\'' ); - Stefan

Image Upload

by postimage Version: 1.0.3 1 Download 08-09-2016, 09:35 PM

Staff Notes:

external JS

Followers/Following Plugin for MyBB

by EvolSoft Version: 1.0 8 Downloads 06-12-2016, 12:43 AM

Staff Notes:

Bad code and possible SQL injection: if(mysqli_num_rows($db->query("SELECT * FROM " . TABLE_PREFIX . "ffplugin WHERE following='" . $mybb->user['uid'] . "' AND follower='" . $mybb->input['uid'] . "'")) == 0){ - Stefan

Haz RollDices

by hazmole Version: Array 5 Downloads 06-10-2016, 03:25 PM

Staff Notes:

SQL Injection in plugin file; PM sent - Stefan

Exp Manager

by Starrlight Version: 1.0 4 Downloads 06-10-2016, 03:15 PM

Staff Notes:

Destroy666, 29.05.15: several XSS and possible SQLi found. Author was contacted. "thread" seems confusing here.- Omar.

Thank You Spoiler

by Mx13 Version: 1.0.0 8 Downloads 06-10-2016, 03:14 PM

Staff Notes:

Destroy666, 20.05.15: 2 SQLi in xmlhttp hook ($pid = $mybb->input["pid"] ;), SQLi in group edit ($updated_group['canseespoiler'] = $mybb->input['canseespoiler'];). Contacted the author.

MyBooks Manager

by DiegoPino Version: 1.0 1 Download 06-10-2016, 02:10 AM

Staff Notes:

SQL injection and XSS (no htmlspecialchars at all). PM sent -Stefan