So I assume that vBulletin developers spend little to none time actually looking for possible vulnerability flaws.
Too bad.
An anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to hijack servers. No patch is known to be available. The security hole was revealed last night in a post to the Full Disclosure mailing list: the message exactly …
I don't think this classifies as a vulnerability, this is a feature which allows you to run a command on the server from the client. I don't see any way this could be accidental, it's bizarre. It's either a deliberate backdoor or some development code that got into release by accident? The development code part doesn't make any sense either though, why would anyone add remote code execution into a development build?
I would ask the Xenforo authors (who authored the original vBulletin) if the shell access was done in their time and if they carried it forward.
This exploit is particularly dangerous as remaining vBulletin operators are likely to be the less expert admins. Otherwise, as you indicate, they would have migrated to Xenforo too.
If I was running a vBulletin forum there would be a 'down for maintenance' page showing by now. Has vBulletin notified its users? And did the whistleblower give them adequate time to put a mitigation in place?
If they didn't then they are worse than hackers, if they did and vBulletin did nothing then vBulletin deserves to be toast.
The vBulletin website still has no warning on its frontpage or anywhere else I could find.
Yet go to their forum and there are multiple reports of attacks and actual damage (like wiping the MySQL database).. This is criminal of vBulletin to not respond/warn of a known exploit - given that they should be at least reading their own forum. vBulletin customers might be prudently advised to consider whether this is evident of a responsible or trusted provider.