Cyber Resilience

CVE-2019-16759

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 September 2019

Published
24 September 2019
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9443 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-16759 is a critical-severity Code Injection (CWE-94) vulnerability in Vbulletin Vbulletin. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

vBulletin versions 5.x through 5.5.4 contain a remote code execution vulnerability tracked as CVE-2019-16759 and assigned CWE-94. The flaw resides in the handling of the widgetConfig[code] parameter within requests routed to ajax/render/widget_php, enabling injection of arbitrary PHP code that is subsequently executed by the application.

Unauthenticated attackers can exploit the issue over the network by submitting a specially crafted HTTP request containing malicious code in the widgetConfig[code] field. Successful exploitation grants full control over the target server, including the ability to read, modify, or delete data and execute operating-system commands, consistent with the CVSS 9.8 rating reflecting no required privileges or user interaction.

Public exploit code for this vulnerability has been released on multiple occasions via PacketStorm, confirming that working proof-of-concept implementations are readily available to potential attackers. No official patch or mitigation details are referenced in the supplied sources.

EU & UK References

Vulnerability details

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vbulletin
vbulletin
5.0.0 — 5.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks injection of arbitrary PHP via the widgetConfig[code] parameter by enforcing validation of all inputs to the ajax/render/widget_php route before execution.

prevent

Disables or restricts the dangerous widget_php rendering functionality and server-side code execution capability that the vulnerability relies on.

prevent

Requires prompt application of vendor patches that eliminate the widgetConfig code-injection flaw in vBulletin 5.x.

References