CVE-2014-9463

high

Published 2017-09-15 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

9.0

VIR risk

8.8

Description

functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Application impact

Vendor	Product	Versions	Fixed
vbseo	vbseo	`-`
vbulletin	vbulletin	`{"endIncluding":"4.2.2"}`

References

https://blog.sucuri.net/2015/01/serious-vulnerability-on-vbseo.html
https://www.exploit-db.com/exploits/36232/
https://blog.sucuri.net/2015/01/serious-vulnerability-on-vbseo.html
https://www.exploit-db.com/exploits/36232/

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.