CVE-2015-7808

EXPLOITED IN THE WILD

vBulletin 5 Connect <5.1.9 - Code Injection

Title source: llm

Description

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Mohammad Reza Espargham · perlwebappsphp
https://www.exploit-db.com/exploits/38790
exploitdb WORKING POC VERIFIED
by hhjj · textwebappsphp
https://www.exploit-db.com/exploits/38629
exploitdb WORKING POC
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/48761
nomisec WORKING POC 1 stars
by Prajithp · remote
https://github.com/Prajithp/CVE-2015-7808
metasploit WORKING POC EXCELLENT
by Netanel Rubin, cutz, Julien (jvoisin) Voisin · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_unserialize.rb

References (6)

Scores

EPSS 0.7736
EPSS Percentile 99.0%

Details

VulnCheck KEV 2021-04-12
InTheWild.io 2021-04-12
CWE
CWE-20
Status published
Products (16)
vbulletin/vbulletin 5.0.0
vbulletin/vbulletin 5.0.1
vbulletin/vbulletin 5.0.2
vbulletin/vbulletin 5.0.3
vbulletin/vbulletin 5.0.4
vbulletin/vbulletin 5.0.5
vbulletin/vbulletin 5.1.0 (2 CPE variants)
vbulletin/vbulletin 5.1.1
vbulletin/vbulletin 5.1.2 (4 CPE variants)
vbulletin/vbulletin 5.1.3 (2 CPE variants)
... and 6 more
Published Nov 24, 2015
Tracked Since Feb 18, 2026