Though vBulletin, which is written in PHP, is proprietary software, it is extremely popular and is widely used, counting Sony Pictures, the Denver Broncos, Houston Texans. Steam, EA, NASA and Zynga among its more than 100,000 users.
The zero-day permits a user who does not have an account on a given forum to run shell commands on a server that is running vBulletin.
The attacker can use an HTTP POST request to execute commands without having to authenticate.
A researcher who goes by the handle @notdan pointed to what he termed a "tentative patch" posted by another researcher who goes by the name Nick.
iTWire has contacted vBulletin for comment.
Commenting on the exploit, Gavin Millard, the vice-president of Intelligence at security firm Tenable, said: "Given that this vBulletin flaw offers remote code execution, and that it can be paired with the ability to leverage Shodan [the Internet search tool] to find potential targets, makes it critically important that security professionals take action.
"With just a few taps of the keyboard anyone could take a small piece of code, gather the IP addresses of hundreds of vulnerable systems, and automatically exploit them.
"Pair that with the fact that, post exploitation, you can run any command against the compromised device and we could easily see mass attacks on sites running this ubiquitous news forum software.
"Organisations and hobbyists should drop everything to verify what version of vBulletin they are running and if affected, and until a patch is available, I would take the unprecedented move to take the system offline. It really is that bad."