MyBB versions 1.8.12 and prior is vulnerable to a cross site scripting bug which can allow a moderator to take over an administrator’s account and upload a webshell, or perform file enumeration in the instances where it is not possible to spawn a shell.