Login Sign Up

CVE-2023-53979

8.8 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability allows authenticated administrators in MyBB 1.8.32 to bypass avatar upload restrictions and execute arbitrary code through a chained attack. Attackers can modify upload paths, upload malicious PHP-embedded images, and execute commands via the language configuration editor. Only MyBB installations with administrator accounts are affected.

💻 Affected Systems

Products:
  • MyBB
Versions: 1.8.32
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated administrator access. Previous versions may also be vulnerable but CVE specifically references 1.8.32.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, access databases, install backdoors, and pivot to other systems.

🟠

Likely Case

Unauthorized code execution leading to data theft, defacement, or installation of cryptocurrency miners on vulnerable MyBB forums.

🟢

If Mitigated

Limited impact with proper access controls, but still potential for data exposure if exploited.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires chaining multiple steps: modifying settings, uploading malicious file, and executing via language editor. Public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.33 or later

Vendor Advisory: https://mybb.com/

Restart Required: No

Instructions:

1. Backup your MyBB installation and database. 2. Download MyBB 1.8.33 or later from official site. 3. Replace all files except inc/config.php and inc/settings.php. 4. Run upgrade script if needed. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit administrator accounts to trusted personnel only and implement strong authentication.

File Upload Restrictions

all

Implement web application firewall rules to block PHP file uploads via avatar functionality.

🧯 If You Can't Patch

  • Implement strict access controls on administrator accounts with multi-factor authentication
  • Monitor and audit all administrator account activities and file uploads to the avatar directory

🔍 How to Verify

Check if Vulnerable:

Check MyBB version in Admin Control Panel or view inc/version.php file content.

Check Version:

grep "'version'" inc/version.php | head -1

Verify Fix Applied:

Verify version is 1.8.33 or later and test avatar upload restrictions work properly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual administrator login patterns
  • Modifications to upload path settings
  • PHP file uploads to avatar directory
  • Language file modifications

Network Indicators:

  • Unexpected outbound connections from web server
  • Command execution patterns in HTTP requests

SIEM Query:

source="mybb_logs" AND (event="admin_login" OR event="file_upload" OR event="config_change")

📊 Metadata

CVE ID: CVE-2023-53979
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.1% exploit probability (26.7th percentile)
Published: December 22, 2025
Last Updated: December 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53979, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)