Cyber Resilience

CVE-2025-47916

CriticalPublic PoCRCE

Published: 16 May 2025

Published
16 May 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9073 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47916 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Invisioncommunity Invisioncommunity. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Invision Community versions 5.0.0 through 5.0.6 contain a remote code execution vulnerability in the themeeditor controller at /applications/core/modules/front/system/themeeditor.php. Unauthenticated callers can reach the protected customCss method, which forwards the user-supplied content parameter directly to Theme::makeProcessFunction; the template engine then evaluates the supplied string as PHP, enabling arbitrary code execution. The flaw is tracked as CVE-2025-47916 and carries a CVSS 3.1 score of 10.0.

An unauthenticated remote attacker can submit a crafted request to themeeditor.php containing malicious template syntax. Successful exploitation grants the attacker the ability to execute arbitrary PHP on the server, resulting in full confidentiality, integrity, and availability impact under the affected component’s security context.

The vendor’s release notes for version 5.0.7 and the accompanying security advisories at karmainsecurity.com and seclists.org indicate that the issue is resolved by upgrading to Invision Community 5.0.7; the patch restricts access to the customCss method and prevents unauthenticated invocation of the template-processing routine. The associated EPSS score remains high at approximately 0.91.

EU & UK References

Vulnerability details

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the…

more

value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

invisioncommunity
invisioncommunity
5.0.0 — 5.0.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References