The vBulletin team sent an email yesterday to all their clients about a potential security vulnerability in VBSEO. VBSEO is a widely used SEO module for vBulletin that was discontinued last year. This makes the problem worse, as no patches will be released for it.
If you are using VBSEO, you have 3 options:
- Completely remove VBSEO from your site – It is not supported anymore
- Apply the patch recommended by the vBulletin team
- Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.
Our research team is looking at this issue and it seems to be a remote, unauthenticated script (HTML) injection vulnerability. It might lead to a full remote command execution, but we have not confirmed it yet. That’s as serious as it can get, since an attacker can use that to inject malware, spam or take down the site.
Update: We have since confirmed that remote code execution vulnerability does in fact exist, which is why the following recommendations should be followed immediately for all affected VBSEO websites.