Login Sign Up

CVE-2025-48940

7.2 HIGH

📋 TL;DR

This vulnerability in MyBB forum software allows attackers to perform local file inclusion (LFI) through improper input validation in the upgrade component. Attackers can read arbitrary files from the server when the installer is unlocked and they have access to the upgrade script. All MyBB installations prior to version 1.8.39 are affected.

💻 Affected Systems

Products:
  • MyBB
Versions: All versions prior to 1.8.39
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires installer to be unlocked (no install/lock file) and attacker access to upgrade script via install/index.php or admin authentication.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through LFI leading to sensitive file disclosure, credential theft, and potential remote code execution via log poisoning or PHP wrappers.

🟠

Likely Case

Unauthorized reading of configuration files, database credentials, session data, and other sensitive server files.

🟢

If Mitigated

Limited impact if proper file permissions restrict sensitive file access and installer is locked.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires specific conditions: unlocked installer and access to upgrade script. Admin authentication or fresh installation access needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.39

Vendor Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-q4jv-xwjx-37cp

Restart Required: No

Instructions:

1. Backup your MyBB installation and database. 2. Download MyBB 1.8.39 from mybb.com. 3. Replace all files except inc/config.php and inc/settings.php. 4. Run upgrade script if needed. 5. Verify installation works correctly.

🔧 Temporary Workarounds

Lock the installer

all

Create lock file to prevent installer access

touch install/lock

Remove installer directory

linux

Delete or restrict access to install directory after installation

rm -rf install/

🧯 If You Can't Patch

  • Ensure install/lock file exists and is not writable by web server
  • Restrict access to install directory via web server configuration or .htaccess

🔍 How to Verify

Check if Vulnerable:

Check MyBB version in Admin CP or inc/version.php. If version < 1.8.39 and install directory accessible, system is vulnerable.

Check Version:

grep -E "'version'|'version_code'" inc/version.php

Verify Fix Applied:

Confirm version is 1.8.39+ and test that install directory returns 403/404 error when accessed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access to install/index.php with suspicious parameters
  • Multiple failed upgrade attempts
  • Access to sensitive files via web logs

Network Indicators:

  • HTTP requests to install/index.php with file path parameters
  • Unusual file read patterns from web server

SIEM Query:

web.url: "*install/index.php*" AND (web.querystring: "*file=*" OR web.querystring: "*path=*")

📊 Metadata

CVE ID: CVE-2025-48940
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.09% exploit probability (24.6th percentile)
Published: June 2, 2025
Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48940, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)