Does not sanitize the output before showing the post and subject data to the user in their profile.
Add the following lines at line # 2074 (create two new lines if there is content on line 2074);
$post['subject'] = htmlspecialchars_uni($post['subject']);
$thread['subject'] = htmlspecialchars_uni($thread['subject']);
When the page outputs the profile, any HTML will be encoded.
Alternatively update your MyBB Like Plugin to 3.1.0 or later from the MyBB Community hub.
3.1.0 changelog includes the Sanitization in the thread and subject fields as above:
*[FIX] - Sanitize post and thread names
*[FIX] - Trophy post - content wordwrap
*[FIX] - broken URL in ACP plugin setting - PHP date/time
*[FIX] - Collapse/expand buttons are not loaded