CVE-2019-16759 (vbulletin)

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
Source: NIST
CVE-2019-16759 (vbulletin)