vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
The problem occurs only in environments running PHP 8.1 or newer, where the protection mechanism for protected API methods stops working properly. An attacker can send a request to the /api.php endpoint with a parameter invoking a protected controller method (e.g., /api.php?method=protectedMethod) without any authentication. vBulletin does not properly verify access permissions for these methods in the mentioned versions on PHP 8.1+, resulting in unauthorized code execution on the server side. The vulnerability is classified as CWE-424, which is improper protection of an alternative path.
An unauthenticated attacker can gain full control over the server, including reading and modifying data (C:H/I:H), as well as causing service unavailability (A:H) with effects extending beyond the application scope (S:C). In practice, this means the possibility of remote code execution (RCE) on the server hosting the forum.
Immediately apply patches available from the vendor according to the references. Due to active exploitation in production environments, immediate action is recommended — until the update is applied, consider temporary restriction of access to the /api.php endpoint at the firewall or web server level.
vBulletin versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3 running on PHP 8.1 or newer
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HVbulletin
APPVbulletin5.0.0 – 5.7.56.0.0 – 6.0.3
Related vulnerabilities
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/re...
RCE w vBulletin poprzez Template Conditionals — wykonanie dowolnego kodu PHP
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted H...
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/wi...