This is happening again today, even though it was cleaned up yesterday afternoon. Could be a compromised login account posting injected script to a forum post? Or using it in their avatar url?
There is a newer version of UBB btw (7.6), they keep patching more XSS vulnerabilities!