Are you surprised? I’m not. There are more bugs in vBulletin than a roach motel. Can someone please call the exterminator?
It’s rather amusing Internet Brands does not even know where the vulnerability is in THEIR OWN software. If they can’t even find it when it is pointed out to someone, how do you expect Internet Brands to deliver a bug-free product?
Here is the initial security advisory.
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:
4.X – /install/
5.X – /core/installAfter deleting these directories your sites can not be affected by the issues that we’re currently investigating.
vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.
Source: vBulletin