vB has made heavy use of eval() for years, it’s used thru the bbcode parser, template and plugin features. I haven’t dug into the vB5 code base much, my heavy use ended in the 4 range. But this hasn’t been the first time it’s been exploited, and I suspect won’t be the last. When 5 was released we were already turned off to vB and it’s overall direction and settled on sticking with v4 until Xenforo matured more (the creators of which were original developers/architectes of vB 1,2,3.