None of these hacks were related to the forum software. Maza and VF run ancient vb, but nobody has found vulns in that for ages. Exploit frontend proxy was compromised by someone, most likely the hoster. The forum software doesn’t run on the frontend proxy.
VF was hacked with a MITM attack that intercepted admin credentials, you can check CT logs to verify this.
I do not know much about this whole story, but does it mean that Cloudflare has helped to perform those hacks? Since Firefox now uses it by default for its DoH, I think it warrants some serious questions about the choice.
I don't imagine Cloudflare did anything other than provide a proxy platform that's nice for MITM because of features like ssl termination, edge workers, page rules, etc.
I'm surprised even ancient vbulletin doesn't have new vulnerabilities arise. Last I looked at it, it was a horrible kluge. For example a fair amount of the actual PHP than runs was in database tables.
That makes it unpleasant which does not necessarily mean insecure. In fact, having an unpleasant codebase can be an advantage from a security standpoint. If the code is so ugly and complicated that no one wants to add new features, then that means less churn, and less churn means fewer weaknesses. Imagine if the Sudo codebase, which has had over 9,000 changes, had been written that way. I think Donald Knuth got it right with his marvelous tex.web monstrosity that some software should arch towards immutability. https://mirrors.concertpass.com/tex-archive/systems/knuth/di...
It's another surface to inject code, puts "eval" type functionality in the main code, and makes cleaning up after you've been compromised more difficult.
VF was hacked with a MITM attack that intercepted admin credentials, you can check CT logs to verify this.