PatchSiren cyber security CVE debrief
CVE-2021-47934 MyBB CVE debrief
CVE-2021-47934 describes multiple web application issues in MyBB Timeline Plugin 1.0: cross-site scripting through thread titles, post content, and profile fields such as Location and Bio, plus a CSRF issue in timeline.php profile actions that can be used to change a user's cover picture. The risk is highest where the plugin is installed and exposed to untrusted user input or profile interactions.
- Vendor
- MyBB
- Product
- MyBB Timeline Plugin
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-18
Who should care
Administrators and developers responsible for MyBB sites using the Timeline Plugin 1.0, especially communities that allow user-generated thread titles, posts, or profile fields. End users who view affected profiles or interact with timeline/profile actions are also exposed.
Technical summary
The supplied advisory data indicates script injection opportunities in multiple user-controlled fields handled by the plugin, including thread titles, post content, Location, and Bio. It also identifies a cross-site request forgery weakness in timeline.php profile actions that can trigger an unauthorized cover picture change when a victim visits a crafted form or page. The NVD record maps the issue to CWE-79.
Defensive priority
Medium-high. This is web-facing client-side code execution risk combined with an account-state-changing CSRF issue, so it should be prioritized for any deployment that uses the plugin and accepts untrusted content.
Recommended defensive actions
- Determine whether MyBB Timeline Plugin 1.0 is installed anywhere in your environment and disable or remove it if it is not required.
- Apply the vendor's remediation guidance if a fixed version is available; otherwise treat the plugin as unsafe for untrusted input.
- Review all output paths for thread titles, post content, and profile fields such as Location and Bio and ensure proper context-aware output encoding.
- Add or verify CSRF protection for timeline.php profile actions that change user settings or profile assets.
- Limit which roles can submit or edit plugin-managed content until the issue is remediated.
- Check the official CVE and NVD entries, plus the vendor advisory, for any updated remediation notes or version guidance.
Evidence notes
The CVE description provided in the source corpus states that MyBB Timeline Plugin 1.0 contains XSS through thread titles, post content, and profile fields, and a CSRF issue in timeline.php profile actions affecting cover picture changes. NVD metadata lists CWE-79 as the primary weakness. The supplied references include the MyBB community plugin page, an Exploit-DB entry, and a VulnCheck advisory, which support that this is a publicly documented web application vulnerability.
Official resources
Publicly disclosed vulnerability information is reflected in the supplied NVD/CVE records and referenced advisory links. The source corpus identifies VulnCheck as the disclosure source for the external references included here.