vBulletin Template Engine Arbitrary PHP Code Execution Vulnerability

A remote code execution vulnerability has been identified in vBulletin versions 5.0.0 through 6.0.3. This vulnerability arises from the improper handling of template conditionals in the template engine, which allows attackers to execute arbitrary PHP code. By crafting template code that exploits an alternative PHP function invocation syntax, such as using 'var_dump' as a string argument, attackers can bypass security checks and execute malicious code. This vulnerability has been actively exploited in the wild since May 2025.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where vBulletin is hosted.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/ajax/api/ad/wrapAdTemplate' endpoint with a template that includes a '<vb:if>' conditional. The conditional should be crafted to include PHP code, such as a call to 'var_dump', which will be executed on the server. This can be done using a Proof of Concept script available on the researcher's website.

Remediation

Users can update to vBulletin versions 6.0.3 Patch Level 1, 6.0.2 Patch Level 1, 6.0.1 Patch Level 1, or 5.7.5 Patch Level 3, all of which include the necessary fix.