MyBB has released updates that fix vulnerabilities that could allow an attacker to take complete control over a site and potentially the server. Researchers from RIPS Technologies discovered a Stored XSS and File Write vulnerability that when chained together lead to a remote code execution vulnerability in the popular forum. An attacker merely needs a user account on a target forum to send an admin a private message containing malicious JavaScript code, which exploits the RCE vulnerability. By chaining them together they can create a PHP backdoor that gives them full access to the site.
Source: https://www.bleepingcomputer.com/news/security/mybb-forum-patches-vulnerabilities-that-allow-site-takeover/