CVE-2025-23749 identifies a security vulnerability in the mybb Last Topics plugin developed by progpars.net, specifically affecting versions up to 1.0. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw that allows attackers to trick authenticated users into executing unwanted actions without their consent. Additionally, the plugin suffers from Stored Cross-Site Scripting (XSS), where malicious scripts injected by an attacker are permanently stored on the server and executed in the context of other users' browsers. The combination of CSRF and Stored XSS significantly increases the attack surface, enabling attackers to hijack user sessions, steal sensitive information, manipulate forum content, or distribute malware. The vulnerability is present because the plugin does not properly validate requests to ensure they originate from legitimate users, nor does it sanitize input to prevent script injection. No CVSS score has been assigned yet, and no patches or official fixes are currently available. Although no known exploits have been reported in the wild, the vulnerability poses a serious risk to forums using this plugin, especially those with active user bases and administrative privileges. The technical details indicate the issue was reserved and published in January 2025, with Patchstack as the assigner, but no further mitigation guidance or exploit code has been disclosed.

The impact of CVE-2025-23749 on organizations worldwide can be significant, especially for those relying on MyBB forums with the Last Topics plugin installed. Successful exploitation could lead to unauthorized actions performed by attackers on behalf of legitimate users, including administrators, resulting in content manipulation, privilege escalation, or user account compromise. Stored XSS can facilitate persistent attacks such as session hijacking, credential theft, or distribution of malware to forum visitors. This undermines user trust and can lead to data breaches or reputational damage. The absence of patches increases the window of exposure, and the vulnerability could be leveraged in targeted attacks against communities or organizations using this software. Since MyBB is popular in various countries for community forums, the threat could affect a broad range of sectors including education, gaming, technology, and hobbyist groups. The combined CSRF and Stored XSS vectors increase the complexity and severity of potential attacks, making this vulnerability a critical concern for forum administrators.

To mitigate CVE-2025-23749, organizations should immediately audit their MyBB installations to identify the presence of the Last Topics plugin version 1.0 or earlier. If found, disable or remove the plugin until a patch is available. Implement CSRF protection mechanisms such as synchronizer tokens or double-submit cookies to validate the authenticity of user requests. Enhance input validation and output encoding to prevent Stored XSS by sanitizing all user-supplied data before storage and display. Monitor forum activity for suspicious behavior indicative of exploitation attempts. Restrict administrative access to trusted users and enforce strong authentication methods. Consider deploying Web Application Firewalls (WAFs) with rules targeting CSRF and XSS attack patterns. Stay informed on vendor updates or community patches addressing this vulnerability. Additionally, educate forum users about phishing and social engineering risks that could facilitate CSRF exploitation. These steps go beyond generic advice by focusing on plugin-specific controls and proactive monitoring.