CVE-2019-16759

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Basic Information

CVE State: PUBLISHED
Reserved Date: September 24, 2019
Published Date: September 24, 2019
Last Updated: July 30, 2025
Vendor: vBulletin
Product: vBulletin
Description: vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2020-08-24 16:15:10 UTC) Source

References

https://seclists.org/fulldisclosure/2019/Sep/31 https://www.theregister.co.uk/2019/09/24/vbulletin_vbug_zeroday/ https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/ http://packetstormsecurity.com/files/154623/vBulletin-5.x-0-Day-Pre-Auth-Remote-Command-Execution.html http://packetstormsecurity.com/files/154648/vBulletin-5.x-Pre-Auth-Remote-Code-Execution.html http://packetstormsecurity.com/files/155633/vBulletin-5.5.4-Remote-Command-Execution.html http://packetstormsecurity.com/files/158830/vBulletin-5.x-Remote-Code-Execution.html http://packetstormsecurity.com/files/158829/vBulletin-5.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2020/Aug/5 http://packetstormsecurity.com/files/158866/vBulletin-5.x-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb	2025-04-29 11:01:24 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-16759.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

vbulletin_widgetconfig_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-16759

fxp0-4tx/CVE-2019-16759

Type: github • Created: 2020-11-29 06:19:36 UTC • Stars: 0

Vbulletin RCE Exploits

sunian19/CVE-2019-16759

Type: github • Created: 2020-08-24 16:15:10 UTC • Stars: 1

0xdims/CVE-2019-16759

Type: github • Created: 2020-08-16 18:17:33 UTC • Stars: 5

This tools will extracts and dumps Email + SMTP from vBulletin database server

nako48/CVE-2019-16759

Type: github • Created: 2020-08-13 19:11:37 UTC • Stars: 1

Vbulletin RCE Exploit

FarjaalAhmad/CVE-2019-16759

Type: github • Created: 2019-10-12 18:51:16 UTC • Stars: 3

Interactive-Like Command-Line Console for CVE-2019-16759

jas502n/CVE-2019-16759

Type: github • Created: 2019-09-26 03:56:22 UTC • Stars: 21

vBulletin 5.x 未授权远程代码执行漏洞

r00tpgp/http-vuln-CVE-2019-16759

Type: github • Created: 2019-09-26 03:27:17 UTC • Stars: 3

Nmap NSE Script to Detect vBulletin pre-auth 5.x RCE CVE-2019-16759

M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit

Type: github • Created: 2019-09-25 16:12:27 UTC • Stars: 5

Vbulletin rce exploit CVE-2019-16759

Timeline

CVE ID Reserved

September 24, 2019
CVE Published to Public

September 24, 2019
Proof of Concept Exploit Available

August 24, 2020
Added to KEVIntel

November 03, 2021
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025