Description
vBSEO is the leading SEO Plugin for vBulletin. There is a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.
Remediation
Upgrade to the latest version of vBSEO.
References
Related Vulnerabilities
Liferay Portal Deserialization of Untrusted Data Vulnerability (CVE-2020-15842)
Django Insufficiently Protected Credentials Vulnerability (CVE-2018-16984)
Ruby on Rails Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-0276)
Ruby on Rails Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-8166)
Twisted Web HTTP Server Improper Certificate Validation Vulnerability (CVE-2019-12855)