vBulletin users who still use the vBSEO search engine optimization plugin are advised to either uninstall it or apply a patch because the software is plagued by a serious vulnerability.
The vulnerability (CVE-2014-9463) was reportedly uncovered by Internet Brands, vBulletin’s parent company. The forum software developer sent out an email last week to notify potentially affected users.
Since vBSEO has been discontinued, it’s unlikely that a new version of the software will be made available to address the issue.
“It has come to our attention that there may be a potential security vulnerability in VBSEO affecting the latest version of the software (and potentially other versions as well). We’ve attempted to contact the vendor, but as they have been non-responsive we felt we should alert the community as many of our customers use this add-on software,” vBulletin wrote in the email sent out to users.
Researchers from Sucuri have analyzed the vBSEO flaw. The security firm advises users to completely remove the module from their websites, place their sites behind a Web firewall, or apply a workaround recommended by vBulletin.
The vulnerability can be patched by removing a couple of lines of code from the vbseo/includes/functions_vbseo_hook.php file. However, vBulletin noted that users should apply these changes at their own risk.
“We don’t know if making this change affects the terms of your VBSEO license and we can’t be responsible if making this change breaks your site,” the company said.
On Thursday, Sucuri researchers said they suspected that the security hole is a remote, unauthenticated script injection vulnerability that could lead to full remote code execution.
Daniel Cid, founder and CTO of Sucuri, has confirmed to SecurityWeek that the bug is a “full command execution vulnerability that allows for PHP code to be executed when passed via the referer field.”
An attacker can exploit this vulnerability to inject malware, for spam, and to take down affected websites.
This particular issue doesn’t affect vBulletin itself, but the forum platform can also be plagued by security issues. In July 2014, vBulletin released a patch to address a critical SQL injection vulnerability that exposed website databases.