Description

vBSEO is the leading SEO Plugin for vBulletin. There is a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.

Remediation

Upgrade to the latest version of vBSEO.

References

CVE-2012-5223

Related Vulnerabilities

Grafana Improper Preservation of Permissions Vulnerability (CVE-2022-36062)

GoAhead web server remote code execution

WordPress Plugin Google Map Remote Code Execution (1.0)

Oracle Application Server CVE-2006-0288 Vulnerability (CVE-2006-0288)

MediaWiki Credentials Management Errors Vulnerability (CVE-2015-8009)

Severity

High

Classification

CVE-2012-5223 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities