CVE-2025-47916
CVE-2025-47916
In short
Invision Community versions before 5.0.7 allow anyone to execute arbitrary code by sending specially crafted template strings to the theme editor, without needing to log in. This is critical because attackers can take complete control of the website.
Technical detail
An unauthenticated attacker can invoke the protected customCss method in themeeditor.php by crafting malicious template strings in the content parameter. The application passes this unsanitized input to Theme::makeProcessFunction(), which evaluates it in the template engine context, resulting in arbitrary PHP code execution with application privileges.
Summary generated and translated by AI from the official description.
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
invisioncommunity · Invision Power Boardpublic PoCs found — 2
githubgithub.com/Web3-Serializer/CVE-2025-47916★ 1exploitdbwww.exploit-db.com/exploits/52294unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →