CVE-2024-52702 identifies a stored cross-site scripting (XSS) vulnerability in the install\index.php component of MyBB version 1.8.38, a popular open-source forum software. The vulnerability arises from insufficient sanitization of the Website Name parameter, which can be manipulated to inject malicious JavaScript or HTML payloads that persist on the server. When an administrator sets the Website Name, the crafted payload is stored and subsequently executed in the context of users visiting the forum, potentially leading to session hijacking, defacement, or redirection attacks. The supplier disputes the severity, arguing that since only administrators can modify this parameter and they already have high privileges, the risk is limited. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low attack complexity, requires privileges equivalent to an administrator, and user interaction is needed to trigger the payload. The vulnerability impacts confidentiality and integrity but not availability, and the scope is changed due to the potential for cross-site scripting affecting other users. No public exploits have been reported yet, and no patches are currently linked, so mitigation relies on administrative controls and input validation.

For European organizations using MyBB forums, this vulnerability could allow an attacker with administrative access to inject malicious scripts that execute in the browsers of forum users, potentially compromising user sessions, stealing sensitive information, or defacing the forum. Although exploitation requires administrative privileges, insider threats or compromised administrator accounts could leverage this flaw to escalate damage. The impact on confidentiality and integrity is moderate, as attackers could hijack sessions or manipulate displayed content. Availability is not affected. Given the widespread use of MyBB in community forums and support sites across Europe, especially in small to medium enterprises and niche communities, this vulnerability could undermine user trust and lead to reputational damage. Organizations with less stringent administrative controls or weak account security are at higher risk.

European organizations should implement strict access controls and multi-factor authentication for administrator accounts to reduce the risk of account compromise. Input validation and output encoding should be enforced on the Website Name parameter to prevent injection of malicious scripts. Although the supplier disputes the vulnerability, applying custom patches or web application firewall (WAF) rules to detect and block suspicious payloads targeting the Website Name field is recommended. Regular security audits of administrative inputs and monitoring of forum content for anomalous scripts can help detect exploitation attempts. Additionally, educating administrators about the risks of injecting JavaScript in configuration fields and limiting the use of such scripts can reduce attack surface. Organizations should stay alert for official patches or updates from MyBB and apply them promptly once available.