## https://sploitus.com/exploit?id=PACKETSTORM:171421
# Exploit Title: MyBB Export User Plugin 2.0 โ Cross-Site Scripting
# Date: January 29, 2021
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1408
# Version: 2.0
# Tested On: Windows 10
# CVE: CVE-2023-27890
Description:
This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.
Proof of Concept:
โ As a regular user go to User CP -> Edit Profile
โ Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>
โ Request your data via User CP -> DSGVO data request
โ Login as admin you will be notified a user wants their data
โ When generating the users data their payload will execute