← back
CVE-2019-16759

CVE-2019-16759

CVSS 9.8 CRITICALEPSS 99.7%● KEVCWE-94
In short

vBulletin 5.x through 5.5.4 allows attackers to run arbitrary code on the server by sending a malicious request through a specific web parameter. This is critical because it gives attackers complete control over the website and its data.

Technical detail

The vulnerability exists in the ajax/render/widget_php route where the widgetConfig[code] parameter is improperly validated, allowing unauthenticated remote code execution. An attacker can inject arbitrary PHP code that executes server-side, compromising the entire application and underlying system.

Summary generated and translated by AI from the official description.
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found21
githubgithub.com/jas502n/CVE-2019-1675921githubgithub.com/theLSA/vbulletin5-rce20githubgithub.com/0xdims/CVE-2019-167596githubgithub.com/M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit5githubgithub.com/FarjaalAhmad/CVE-2019-167594githubgithub.com/andripwn/pwn-vbulletin4githubgithub.com/r00tpgp/http-vuln-CVE-2019-167593githubgithub.com/nako48/CVE-2019-167591githubgithub.com/ludy-dev/vBulletin_Routestring-RCE1githubgithub.com/sunian19/CVE-2019-167591githubgithub.com/psychoxploit/vbull0githubgithub.com/fxp0-4tx/CVE-2019-167590githubgithub.com/polar1s7/CVE-2019-16759-bypass0exploitdbwww.exploit-db.com/exploits/47437unverifiedcve_referencepacketstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/47447unverifiedcve_referencepacketstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.htmlhttps://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/http://seclists.org/fulldisclosure/2020/Aug/5https://seclists.org/fulldisclosure/2019/Sep/31https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16759https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/