Vbulletin: >> Vbulletin >> 5.5.1 Security Vulnerabilities
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
CVSS Score
10.0
EPSS Score
0.17
Published
2025-05-27
A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-09-16
vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
CVSS Score
9.8
EPSS Score
0.938
Published
2020-05-08
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
CVSS Score
4.9
EPSS Score
0.004
Published
2019-10-08
vBulletin through 5.5.4 mishandles external URLs within the /core/vb/vurl.php file and the /core/vb/vurl directories.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-10-04
vBulletin before 5.5.4 allows clickjacking.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-10-04
vBulletin through 5.5.4 mishandles custom avatars.
CVSS Score
9.8
EPSS Score
0.252
Published
2019-10-04
CVE-2019-16759
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Known exploited
CVSS Score
9.8
EPSS Score
0.944
Published
2019-09-24
Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter.
CVSS Score
6.8
EPSS Score
0.012
Published
2010-03-23