CVE-2021-47905 in MyBB Delete Account Plugin
Summary
by MITRE • 01/23/2026
MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/24/2026
The vulnerability identified as CVE-2021-47905 affects the MyBB Delete Account Plugin version 1.4, representing a critical cross-site scripting flaw that undermines the security integrity of forum administration interfaces. This issue resides within the account deletion reason input field, where insufficient input validation and output sanitization mechanisms fail to properly handle malicious script injections. The vulnerability specifically targets the administrative functionality of the MyBB platform, creating a pathway for attackers to compromise administrator sessions and potentially gain elevated privileges within the forum environment.
The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user input before rendering it in administrative contexts. When administrators view account deletion requests, the reason field containing malicious scripts executes within their browser context, bypassing standard security controls. This flaw aligns with CWE-79, which defines cross-site scripting as the improper handling of untrusted data within web applications. The vulnerability demonstrates a classic reflected XSS pattern where attacker-controlled data flows from the user interface directly into the administrative interface without appropriate encoding or validation measures. The attack vector requires minimal privileges as the malicious payload executes in the context of authenticated administrators, potentially enabling session hijacking, data manipulation, or further privilege escalation attacks.
The operational impact of this vulnerability extends beyond simple script execution, as it creates persistent security risks for forum administrators and potentially affects the entire user base. Administrators who view compromised deletion requests become unwitting participants in the attack chain, executing malicious code that can steal session cookies, redirect to malicious sites, or inject additional payloads. This vulnerability particularly threatens MyBB installations where administrators frequently review account deletion requests, as the attack surface increases with each interaction. The security implications align with ATT&CK technique T1566, specifically the use of credential dumping or session hijacking through web-based attacks. The vulnerability also represents a significant risk to data integrity and user privacy, as compromised administrators may have access to sensitive user information and forum configurations.
Mitigation strategies for CVE-2021-47905 should prioritize immediate patching of the affected MyBB Delete Account Plugin to version 1.4.1 or later, which includes proper input validation and output sanitization mechanisms. Organizations should implement additional defensive measures including content security policy headers to prevent script execution, regular monitoring of administrative interfaces for suspicious activity, and input validation at multiple layers within the application architecture. The remediation process should also include reviewing and updating security configurations for all MyBB plugins to ensure consistent application of security controls. Network segmentation and privileged access controls should be enforced to limit the potential impact of successful exploitation, while regular security audits should verify that similar vulnerabilities do not exist in other plugin components. Organizations must also consider implementing web application firewalls to detect and block malicious script injection attempts, and establish incident response procedures for handling potential exploitation attempts. The vulnerability serves as a reminder of the critical importance of input validation and output encoding in web applications, particularly within administrative interfaces where the potential for privilege escalation exists.