In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
Add your gear to cvedb and we'll alert you only when vbulletin ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.