It is enabled by default and likely did not have any additional configuration steps taken. If a MyBB installation was upgraded to a vulnerable MyBB version after the upgrade, the vulnerable code will be active. The forum software can be exploited via the email function. In order to do so, an attacker needs to be able to send a valid email to a victim. This may be possible if the user has configured his email application to accept email from a specific domain, if he has a default or common password for email accounts, or if he has an account on a vulnerable forum that has been exploited in a similar manner. MyBB does not validate the integrity of user input or the requested data. This may lead to a variety of RCE scenarios, such as remote code execution in the context of the email form or XSS attacks.


This is disabled by default, but can be enabled with the $cfg['Allow_Call_Back'] setting. The email function is responsible for sending confirmation and notification emails in this case. This can allow an attacker to exploit the email function by sending a confirmed or notified email containing an XSS payload.

Vulnerable Code:

If the email function is used in a vulnerable MyBB installation, it is possible to send an email that contains malicious code. The malicious code may be executed by the forum software as part of an XSS attack or remote code execution.

The email function with a payload

If a user has stored his credentials in a MyBB installation, an attacker can use the email function to send an email with a payload. If the application is configured to allow this action, then the server may accept and execute any data sent from the client. This would allow attackers to exploit vulnerabilities such as XSS or RCE.

MyBB RCE Vulnerability – CVE 2017-11211

In MyBB, every email form has a content type of “email.” When the content type is set to “email,” the message body is sent through a mailto: link. The mailto: link of this content type does not have any validation or sanitization on it and allows for remote code execution via sending a valid email.


Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 05:15:00 UTC