CVE-2015-8973 Mybb CVE debrief

Who should care

Administrators and operators of MyBB forums or MyBB Merge System deployments, especially internet-exposed sites that have not been updated to the fixed releases.

Technical summary

The NVD record maps this issue to CWE-284 (Improper Access Control) and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. The published description states that xmlhttp.php can be abused to bypass intended access restrictions via vectors related to the forum password. The affected version ranges in the record are MyBB before 1.6.18, MyBB 1.8.0 through 1.8.5, and MyBB Merge System before 1.8.6.

Defensive priority

High. The flaw is remotely reachable, requires no privileges or user interaction, and is scored HIGH by NVD. Treat exposure as urgent if any affected MyBB or Merge System versions remain in service.

Recommended defensive actions

• Upgrade MyBB to 1.6.18 or later, or to 1.8.6 or later.
• Upgrade MyBB Merge System to 1.8.6 or later.
• Inventory all MyBB-related installations, including legacy forums and merge-system deployments, to confirm no affected versions remain.
• Review exposure of xmlhttp.php and verify that forum access controls behave as expected after patching.
• Monitor authentication and forum-access logs for unexpected requests or bypass attempts around the affected endpoint.

Evidence notes

This debrief is based on the NVD CVE record and the referenced vendor/advisory links only. Supported facts include the affected products and version ranges, the access-control-bypass description, the CWE-284 mapping, the CVSS vector and score, and the vendor release-notes reference for the fixed MyBB versions. The CVE record was published on 2017-01-31 and later modified on 2026-05-13; that modified date is record metadata, not the original flaw date.

Official resources