Originally Posted by c0bra
There is no profile_start plugin in 2.4.2 either though. Could you clarify with developers the situation? Maybe the advistory is wrong and 2.4.2 is not affected by this vulnerability. It would be good to get some clarification.
Well in the advisory there is a link: Original Advisory
there you find:
Affected Version(s): 2.5
Not affected Versions: Versions prior to 2.5
this is not quite correct...
affected are 2.43 and 2.5 (that is why michael posted 2 fixes)
because that was when vbulletin introduced the tabbed profile..
versions prior to 2.43 | i.e. 2.42 for vbulletin 3.6 are NOT affected
because they do not have this plugin.