vBulletin versions 4.2.3 and below suffer from a remote SQL injection vulnerability in the forumrunner add-on.