EIP-2026-112997

The writeup describes an SQL injection vulnerability in vBulletin 4.0.x due to insufficient sanitization of the 'update_order' variable in the 'force_read_thread.php' script. The proof-of-concept demonstrates how an attacker with admin access can inject malicious SQL syntax by inserting a single quote into the 'force_read_order' field.