from what i can gather, this issue would involve some deception from another website linking to the addons page where the link included some malicious javascript code, or an email sent to someone again with a link that does the same. It wouldnt affect anyone visiting the add-ons page via the musicbee website. Anyone who is more knowledgeable about cross-scripting attacks please correct me if i have it wrong or refine what i have said
yeah, that is pretty much the case.
On the malicious side one can simply steal cookies and verify him as logged in. Ofc the victim has to click on that specialized url. This gets worse, for example if an admin/mod clicks on a crafted link his cookies might get stolen and the attacker gets admin/mod access.
ofcourse he won't be able to change any forum setting or so since SMF asks to re enter password on sensitive operation.
This method does not work on Chromium based browser fortunately.