vBulletin Flaw Exposes Forums to Remote Code Attacks

A critical vulnerability in vBulletin, one of the most widely used internet forum platforms, has exposed thousands of websites to unauthenticated remote code execution (RCE), cybersecurity researchers have disclosed. The flaw affects vBulletin versions 5.x and 6.x running on PHP 8.1 or later, where changes to PHP’s Reflection API allow attackers to invoke protected methods without authentication.

The issue stems from how vBulletin uses dynamic routing and the ReflectionMethod class within its custom Model-View-Controller architecture. Attackers can exploit this by triggering internal methods such as vB_Api_Ad::replaceAdTemplate() to inject malicious templates. The template engine’s handling of tags enables arbitrary PHP execution, ultimately granting full control over the server.

The exploit has been verified on multiple versions, including 5.1.0, 5.7.5, 6.0.1, and 6.0.3. The flaw is reportedly patched in version 6.0.4. Security experts warn developers against relying solely on method visibility for access control in dynamic frameworks.