# Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting # Date: January 29, 2021 # Author: 0xB9 # Twitter: @0xB9sec # Software Link: https://community.mybb.com/mods.php?action=view&pid=1408 # Version: 2.0 # Tested On: Windows 10 # CVE: CVE-2023-27890 Description: This plugin allows users to request their data to export. XSS occurs when admin is generating data for user. Proof of Concept: – As a regular user go to User CP -> Edit Profile – Add a payload in Custom User Title, Location, or Bio – Request your data via User CP -> DSGVO data request – Login as admin you will be notified a user wants their data – When generating the users data their payload will execute