MyBB versions 1.8.12 and prior is vulnerable to a cross site scripting bug which can allow a moderator to take over an administrator's account and upload a webshell, or perform file enumeration in the instances where it is not possible to spawn a shell.
2eada83ea6a14a8c674c26d4d10c26e8ddd172236c1efa264305899384620164