CVE-2025-48941 is a medium-severity vulnerability affecting MyBB forum software versions prior to 1.8.39. The issue lies in the search component's improper validation of thread visibility permissions during internal search queries. Specifically, the internal search mechanism does not correctly check the 'visible' status of threads, which is stored in the 'mybb_threads.visible' integer column. This column indicates whether a thread is generally visible (1), unapproved (0), soft-deleted (-1), or a draft (-2). Although MyBB enforces permission checks when displaying final search results, the internal search query's outcome influences the HTTP response behavior. If the search internally finds at least one matching thread (regardless of visibility status), the server responds with a redirect or a success message page with delayed redirect. Conversely, if no matches are found, it returns a message without redirect. This difference in response behavior allows an attacker with access to the search functionality and general forum access to infer the existence of hidden threads (draft, unapproved, or soft-deleted) based on the presence or absence of redirects. Notably, the vulnerability does not expose the content of posts, only the existence of such threads. Exploitation requires no authentication beyond access to the search feature and forums containing the threads. The vulnerability is classified under CWE-1230 (Exposure of Sensitive Information Through Metadata). The issue was addressed in MyBB version 1.8.39 by correcting permission validation in search queries. The CVSS v3.1 base score is 5.3 (medium), reflecting the limited confidentiality impact and ease of exploitation without authentication or user interaction. There are no known exploits in the wild at this time.

For European organizations using MyBB forum software, this vulnerability could lead to unauthorized disclosure of metadata about hidden forum threads. While the actual content of posts remains protected, the ability to detect the existence of draft, unapproved, or soft-deleted threads may reveal sensitive operational or organizational information, such as planned discussions, moderation activities, or internal deliberations not meant for public view. This could undermine trust in the forum's confidentiality and potentially expose strategic or sensitive topics prematurely. In regulated environments, such as those governed by GDPR, unauthorized exposure of metadata might raise compliance concerns if it indirectly reveals personal or sensitive information. Additionally, attackers could use this information to tailor social engineering or further reconnaissance attacks. However, since the vulnerability does not allow content disclosure or modification, the impact on integrity and availability is minimal. The medium severity rating reflects this limited but non-negligible confidentiality risk.

European organizations should upgrade all MyBB installations to version 1.8.39 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, administrators can implement the following mitigations: 1) Restrict access to the search functionality to trusted users only, possibly by requiring authentication or limiting search permissions to reduce exposure. 2) Customize or harden the search response behavior to avoid revealing differences in HTTP redirects or messages that could be used as side channels to infer thread existence. 3) Regularly audit forum permissions and visibility settings to ensure that sensitive threads are appropriately protected or archived outside the forum if necessary. 4) Monitor forum logs for unusual search patterns that might indicate probing attempts. 5) Consider deploying web application firewalls (WAFs) with rules to detect and block suspicious search queries targeting thread titles. These steps, combined with prompt patching, will effectively mitigate the risk posed by this vulnerability.