cbcvebase.
CVE-2025-47916
published 2025-05-16

CVE-2025-47916: Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.17%
99.6th percentile
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.

Affected

2 ranges
VendorProductVersion rangeFixed in
invisioncommunityinvision_power_board>= 5.0.0 < 5.0.75.0.7
invisioncommunityinvisioncommunity>= 5.0.0 < 5.0.75.0.7

Detection & IOCsextracted from sources · hover to see the quote

  • Look for unauthenticated POST requests to the themeeditor controller with the 'do=customCss' parameter and a 'content' field containing template injection syntax such as {expression="..."}
  • Detect POST requests to any endpoint with query parameters app=core&module=system&controller=themeeditor&do=customCss from unauthenticated sessions (no session cookie or fresh session)
  • Flag HTTP request bodies containing URL-encoded or raw {expression=...} template strings in the 'content' POST parameter targeting Invision Community installations
  • Identify Invision Community hosts via the Set-Cookie header value prefix 'ips4_' for targeted scanning or alerting

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.