phpBBModders.net

I've got a user on my forum who has found a XSS injection spot somewhere on my site. He has hijacked the admins accounts many times and refuses to share the exploit? Has anyone had this happen? Does anyone know where he would be injecting? If I find, I'll share here.

There are no known exploits in phpBB. You most likely either have an unpublished(ie not in the MODDB) mod installed. Much more likely than that though is that another third party software is being exploited such as an outdated WordPress install or some other exploitable software. A less likely but still possible explanation is that your host has insecure or improperly configured software on their servers. For instance one major webhost out there had/has way to permissive permissions set on their shared hosting.