DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-47916: CVE-2025-47916: Unauthenticated RCE in Invision Community via SSTI

#security #cve #cybersecurity

CVE-2025-47916: Unauthenticated RCE in Invision Community via SSTI

Vulnerability ID: CVE-2025-47916
CVSS Score: 10.0
Published: 2025-05-16

A critical remote code execution vulnerability exists in Invision Community versions 5.0.0 through 5.0.6. The flaw resides in the 'themeeditor' controller, where improper access control allows unauthenticated users to invoke the 'customCss' method. This method passes user-supplied input directly to the internal template engine without sanitization. By injecting malicious template directives, attackers can execute arbitrary PHP code on the underlying server. The vulnerability carries a CVSS score of 10.0 and has been patched in version 5.0.7.

TL;DR

Critical RCE in Invision Community 5.0.x allows unauthenticated attackers to execute arbitrary PHP code. The issue stems from an exposed 'customCss' controller method that processes unsanitized input via the template engine. Patched in version 5.0.7.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-1336
  • CVSS v3.1: 10.0 (Critical)
  • Attack Vector: Network
  • EPSS Score: 0.89988 (89.99%)
  • Exploit Status: Weaponized / Public PoC
  • Impact: Remote Code Execution

Affected Systems

  • Invision Community 5.0.0
  • Invision Community 5.0.1
  • Invision Community 5.0.2
  • Invision Community 5.0.3
  • Invision Community 5.0.4
  • Invision Community 5.0.5
  • Invision Community 5.0.6
  • Invision Community: >= 5.0.0, <= 5.0.6 (Fixed in: 5.0.7)

Exploit Details

  • Nuclei: Nuclei detection template for unauthenticated RCE

Mitigation Strategies

  • Restrict access to the 'themeeditor' controller via WAF rules.
  • Monitor logs for unexpected POST requests to the 'system' module.

Remediation Steps:

  1. Upgrade Invision Community to version 5.0.7 immediately.
  2. If immediate upgrade is impossible, implement a WAF rule blocking POST requests containing 'controller=themeeditor' and 'do=customCss'.
  3. Audit the filesystem for unknown PHP files created after the vulnerability disclosure date.
  4. Rotate database credentials and encryption keys if compromise is suspected.

References

Read the full report for CVE-2025-47916 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)