vBulletin users who still use the vBSEO search engine optimization plugin are advised to either uninstall it or apply a patch because the software is plagued by a serious vulnerability.
The vulnerability (CVE-2014-9463) was reportedly uncovered by Internet Brands, vBulletin’s parent company. The forum software developer sent out an email last week to notify potentially affected users.
Since vBSEO has been discontinued, it’s unlikely that a new version of the software will be made available to address the issue.
“It has come to our attention that there may be a potential security vulnerability in VBSEO affecting the latest version of the software (and potentially other versions as well). We’ve attempted to contact the vendor, but as they have been non-responsive we felt we should alert the community as many of our customers use this add-on software,” vBulletin wrote in the email sent out to users.
Researchers from Sucuri have analyzed the vBSEO flaw. The security firm advises users to completely remove the module from their websites, place their sites behind a Web firewall, or apply a workaround recommended by vBulletin.
The vulnerability can be patched by removing a couple of lines of code from the vbseo/includes/functions_vbseo_hook.php file. However, vBulletin noted that users should apply these changes at their own risk.
“We don’t know if making this change affects the terms of your VBSEO license and we can’t be responsible if making this change breaks your site,” the company said.
On Thursday, Sucuri researchers said they suspected that the security hole is a remote, unauthenticated script injection vulnerability that could lead to full remote code execution.
Daniel Cid, founder and CTO of Sucuri, has confirmed to SecurityWeek that the bug is a “full command execution vulnerability that allows for PHP code to be executed when passed via the referer field.”
An attacker can exploit this vulnerability to inject malware, for spam, and to take down affected websites.
This particular issue doesn’t affect vBulletin itself, but the forum platform can also be plagued by security issues. In July 2014, vBulletin released a patch to address a critical SQL injection vulnerability that exposed website databases.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
