CVE-2014-9463

HIGH

vbseo - Authenticated Remote Code Execution via HTTP Referer Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9463. PoCs published by Net.Edit0r.

AI-analyzed exploit summary This exploit leverages a remote code injection vulnerability in vBulletin 4.x.x via the 'visitormessage.php' endpoint. The attack involves manipulating the referrer header to execute arbitrary PHP code, leading to remote code execution (RCE).

Description

functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Net.Edit0r · textwebappsphp
https://www.exploit-db.com/exploits/36232

This exploit leverages a remote code injection vulnerability in vBulletin 4.x.x via the 'visitormessage.php' endpoint. The attack involves manipulating the referrer header to execute arbitrary PHP code, leading to remote code execution (RCE).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 4.x.x (tested on 4.2.2)
Auth required
Prerequisites: Registered user account on the target vBulletin instance · Ability to send crafted HTTP requests with manipulated headers
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://blog.sucuri.net/2015/01/serious-vulnerability-on-vbseo.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36232/

Scores

CVSS v3 8.8
EPSS 0.1479
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
vbseo/vbseo
Published Sep 15, 2017
Tracked Since Feb 18, 2026