A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5. The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.


Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately via PECL :: Package :: json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.

All patches can be found at http://members.vbulletin.com/patches.php
This includes:
vBulletin 5.0.5 PL1
vBulletin 4.2.2 PL1
vBulletin 3.8.7 PL3
vBulletin 3.8.7 MAPI

You can find DIFF Patches for other versions here:
Security Exploit Patched in versions 3.5, 3.6, 3.7, 3.8, 4.X, 5.X of vBulletin - vBulletin Community Forum