**Name of the Vulnerable Software and Affected Versions**

vBulletin versions 5.0.0 through 5.5.4

**Description**

The issue is related to errors in code generation management, allowing a remote attacker to execute arbitrary commands using a specially crafted `widgetConfig[code]` parameter in an `ajax/render/widget php` routestring request. This can be done without authentication. The vulnerability affects many open projects, including forums for Ubuntu, openSUSE, BSD systems, and Slackware.

**Recommendations**

For versions 5.0.0 through 5.5.4, consider disabling the `widget php` function or restricting access to the `ajax/render/widget php` endpoint until a patch is available. Avoid using the `widgetConfig[code]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.