Published: 24/09/2019 Updated: 26/09/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

vBulletin 5.x up to and including 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Vulnerability Trend

Affected Products

Vendor Product Versions
VbulletinVbulletin5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.6, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' =& ...

Mailing Lists

Nmap NSE script that exploits a pre-authentication remote command execution vulnerability in vBulletin versions 5x ...
vBulletin version 5x pre-authentication remote code execution Metasploit module ...

Recent Articles

vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach
Threatpost • Lindsey O'Donnell • 10 Oct 2019

Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl – including email addresses of both escorts and customers.
The website provides a forum for escorts and customers to discuss sex work — including clients discussing their experiences with sex workers. A moderator on the forum said on Thursday that a hacker gained access to personal details through a recently disclosed software vulnerability in an external software supplier of the website, vBulle...

Cloudflare Now Blocks the vBulletin RCE CVE-2019-16759 Exploit
BleepingComputer • Lawrence Abrams • 29 Sep 2019

This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service.
Remote code execution vulnerabilities are the most critical as they allow attackers to execute commands, take over a site, install malware, or even distribute malware from a victim's computer and ...

Rash of Exploits Targets Critical vBulletin RCE Bug
Threatpost • Tara Seals • 26 Sep 2019

A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.
A zero-day proof-of-concept code was anonymously published on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to leverage Shodan and mass identify thousands of vulnerable systems.