A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday.
This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server.
Am I At Risk?
Update: vBulletin has released security patches available here.
At the time of writing this, this is still a zero-day vulnerability—meaning there are no official patches available to fix this issue.