MyBB prior to 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
mybb mybb