Published: 24/09/2019 Updated: 26/09/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

vBulletin 5.x up to and including 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Vulnerability Trend

Affected Products

Vendor Product Versions
VbulletinVbulletin5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.6, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' =& ...

Mailing Lists

vBulletin version 5x pre-authentication remote code execution Metasploit module ...
Nmap NSE script that exploits a pre-authentication remote command execution vulnerability in vBulletin versions 5x ...

Metasploit Modules

vBulletin widgetConfig RCE

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request.

msf > use exploit/multi/http/vbulletin_widgetconfig_rce
msf exploit(vbulletin_widgetconfig_rce) > show targets
msf exploit(vbulletin_widgetconfig_rce) > set TARGET < target-id >
msf exploit(vbulletin_widgetconfig_rce) > show options
    ...show and set options...
msf exploit(vbulletin_widgetconfig_rce) > exploit

Recent Articles

vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach
Threatpost • Lindsey O'Donnell • 10 Oct 2019

Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl – including email addresses of both escorts and customers.
The website provides a forum for escorts and customers to discuss sex work — including clients discussing their experiences with sex workers. A moderator on the forum said on Thursday that a hacker gained access to personal details through a recently disclosed software vulnerability in an external software supplier of the website, vBulle...

Cloudflare Now Blocks the vBulletin RCE CVE-2019-16759 Exploit
BleepingComputer • Lawrence Abrams • 29 Sep 2019

This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service.
Remote code execution vulnerabilities are the most critical as they allow attackers to execute commands, take over a site, install malware, or even distribute malware from a victim's computer and ...

Rash of Exploits Targets Critical vBulletin RCE Bug
Threatpost • Tara Seals • 26 Sep 2019

A critical remote code execution (RCE) bug affecting default 5.x versions of vBulletin (CVE-2019-16759) is being actively exploited in the wild, allowing unauthenticated attackers to take control of web hosts.
A zero-day proof-of-concept code was anonymously published on Monday, ahead of vBulletin issuing a patch. Also, Tenable vice president of intelligence Gavin Millard said via email that there is now a script to leverage Shodan and mass identify thousands of vulnerable systems.