A vulnerability in MyBB forum software allows attackers to exploit a stored cross-site scripting (XSS) flaw and an authenticated remote code execution (RCE) vulnerability, potentially leading to full control over the target forum's database and user accounts. An attacker can craft a malicious JavaScript code that is executed when an administrator opens a private message containing the code, allowing for unauthorized access to all user accounts and stored data. Additionally, administrators of the forum can be tricked into creating shell files on the server by sending them a specific filename with a longer name than allowed, resulting in a file write vulnerability. These vulnerabilities were reported privately to MyBB in April 2019 and patched in version 1.8.21 released in June 2019.