CVE-2025-48940: MyBB Upgrade Module Local File Inclusion

MyBB Upgrade Module Local File Inclusion

Vulnerability ID: CVE-2025-48940
CVSS Score: 7.2
Published: 2025-06-02

A high-severity Local File Inclusion (LFI) vulnerability has been identified in the upgrade component of MyBB, a popular open-source forum software. The flaw resides in the install/upgrade.php script, where insufficient input validation on the action parameter allows attackers to traverse directories and include arbitrary PHP files. This vulnerability affects all MyBB versions prior to 1.8.39. Successful exploitation can lead to Remote Code Execution (RCE) if the attacker can upload or control a file on the disk, or significant information disclosure depending on the server configuration.

TL;DR

MyBB versions before 1.8.39 contain a Local File Inclusion vulnerability in the upgrade wizard. Attackers with access to the installation script (admins or uninstalled instances) can manipulate the 'action' parameter to execute arbitrary local files.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22
• Attack Vector: Network
• CVSS v3.1: 7.2 (High)
• EPSS Score: 0.00128
• Impact: Remote Code Execution (RCE) / LFI
• Exploit Status: PoC Available

Affected Systems

• MyBB Forum Software
• MyBB: < 1.8.39 (Fixed in: 1.8.39)

Code Analysis

Commit: 6e6cfbd

Fix LFI in upgrade routine by enforcing alphanumeric check

- $from = $bits[0];
+ if(ctype_alnum($bits[0]))
+ {
+     $from = $bits[0];
+ }
+ else
+ {
+     $from = 0;
+ }

Exploit Details

• GitHub Security Advisory: Official advisory containing vulnerability details and fix information.

Mitigation Strategies

• Update MyBB immediately to version 1.8.39 or later.
• Remove or rename the 'install/' directory entirely after installation or upgrade is complete.
• Ensure the 'install/lock' file is present to prevent unauthorized access to the upgrade wizard.
• Implement WAF rules to block 'action' parameters containing directory traversal characters ('../' or '..%2f').

Remediation Steps:

1. Backup the forum database and files.
2. Download the MyBB 1.8.39 patch files or full package from the official MyBB website.
3. Upload the patched 'install/upgrade.php' file to the server, overwriting the existing vulnerable file.
4. Verify that the 'install/' directory is locked (check for 'install/lock' file).
5. If the install directory is not needed, delete it from the server.

References

• GHSA-q4jv-xwjx-37cp: Local File Inclusion in Upgrade Module
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory

---

Read the full report for CVE-2025-48940 on our website for more details including interactive diagrams and full exploit analysis.