CVE-2025-47916

Description

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.

CVSS Metrics

• v3.1•CRITICAL•Score: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 90.83%• Percentile: 100%

Techniques & Countermeasures

• CWE-1336•Improper Neutralization of Special Elements Used in a Template Engine

  The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

• CWE-94•Improper Control of Generation of Code ('Code Injection')

  The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

• invisioncommunity•invision_power_board

  ≥ 5.0.0, < 5.0.7

• invisioncommunity•invisioncommunity

  ≥ 5.0.0, < 5.0.7

References (3)

• https://invisioncommunity.com/release-notes-v5/507-r41/
• https://karmainsecurity.com/KIS-2025-02
• http://seclists.org/fulldisclosure/2025/May/4