Overview :
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Affected Product(s) :
  • vBulletin 5.x through 5.5.4
Vulnerability Details :
CVE ID : CVE-2019-16759
A specific utility may allow an attacker to gain remote command execution to privileged files.

Solution :

Updates are available by contacting the sales support channel or by contacting the vBulletin support team at support@vBulletin.com