OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • mybb
  • privilege-escalation
  • php
  • exploitarium

news

MyBB 1.8.40 Limited ACP to Full Administrator

ACP user-manager permission alone can create gid=4 Administrator accounts — verify_usergroup() accepts any group.

Summary

ACP user-manager permission alone can create gid=4 Administrator accounts — verify_usergroup() accepts any group. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetMyBB 1.8.40
PrimitiveUnvalidated usergroup POST in Admin CP add-user flow
ImpactLimited ACP user module access → full board administration.

Attack Chain

ACP session with user-users=1 → POST usergroup=4 → new full admin account

Mitigation

Restrict ACP user management; patch when vendor fix ships; audit unexpected Administrator accounts.

Related Signals

Sources

→ Source