CVE-2020-12720

CRITICAL EXPLOITED IN THE WILD NUCLEI

vBulletin <5.5.6pl1, <5.6.0pl1, <5.6.1pl1 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2020-12720 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits, including a Metasploit module auxiliary/gather/vbulletin_getindexablecontent_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in vBulletin 5.x.x via the `/ajax/api/content_infraction/getIndexableContent` endpoint. It allows dumping user table information or all database tables by leveraging a valid node ID.

Description

vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.

Exploits (2)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in vBulletin 5.x.x via the `/ajax/api/content_infraction/getIndexableContent` endpoint. It allows dumping user table information or all database tables by leveraging a valid node ID.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.x.x

No auth needed

Prerequisites: Valid node ID or brute-force range for node ID

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_getindexablecontent.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in vBulletin 5.6.1 and earlier to reset the administrator's password and achieve remote code execution. It leverages the getIndexableContent endpoint to perform SQLi and subsequently uses the administrator's credentials for RCE.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: vBulletin 5.6.1 and earlier

No auth needed

Prerequisites: Access to the target vBulletin instance · Valid node ID for SQLi

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

vBulletin SQL Injection

CRITICALby pdteam

Shodan:

http.title:"powered by vbulletin" || http.html:"powered by vbulletin" || http.component:"vbulletin" || cpe:"cpe:2.3:a:vbulletin:vbulletin"

FOFA: body="powered by vbulletin" || title="powered by vbulletin"

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157716/vBulletin-5.6.1-SQL-Injection.html

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157904/vBulletin-5.6.1-SQL-Injection.html

Third Party Advisory x_refsource_misc

https://attackerkb.com/topics/RSDAFLik92/cve-2020-12720-vbulletin-incorrect-access-control

Scores

CVSS v3 9.8

EPSS 0.9382

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-306 CWE-89

Status published

Products (4)

vbulletin/vbulletin 5.5.6

vbulletin/vbulletin 5.6.0

vbulletin/vbulletin 5.6.1.-

vbulletin/vbulletin 5.0.0 - 5.5.6

Published May 08, 2020

Tracked Since Feb 18, 2026