MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-47934
• https://community.mybb.com/mods.php?action=view&pid=1428
• https://www.exploit-db.com/exploits/49467
• https://www.vulncheck.com/advisories/mybb-timeline-plugin-cross-site-scripting-and-csrf