vBulletin
Easy fix4 remedies
cpe:2.3:a:vbulletin:vbulletin:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 5.0.0, <= 5.5.4
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
vBulletin Remote Code Execution Vulnerability
Vulnerability
Exploited
Patched
A remote code execution vulnerability has been identified in vBulletin versions 5.0.0 prior to 5.5.4. The issue arises from the widgetConfig[code] parameter in an ajax/render/widget_php routestring POST request, allowing unauthenticated attackers to execute arbitrary PHP code on the server.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running under the user account that vBulletin operates.
Reproduction
The vulnerability can be reproduced by sending a POST request to the vBulletin server with the widgetConfig[code] parameter. This parameter can be crafted to include PHP code that will be executed on the server. The ajax/render/widget_php routestring must be used.
Remediation
vBulletin has released a security patch for this vulnerability. Affected users should update to the latest version.
Added: Apr 7, 2026, 11:35 AM
Updated: Apr 7, 2026, 11:35 AM