CVE-2025-71278

HighPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71278 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Xenforo Xenforo. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in XenForo to prevent OAuth2 clients from accessing resources beyond intended scopes.

AC-6 Least Privilege good match

prevent

Applies least privilege to limit OAuth2 client applications to only necessary scopes, mitigating unauthorized access escalation.

IA-13 Identity Providers and Authorization Servers good match

prevent

Establishes requirements and monitoring for authorization servers like XenForo to ensure proper scope validation in OAuth2 deployments.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct network-exploitable authorization bypass in public-facing web app (XenForo OAuth2) enabling privilege escalation to unauthorized scopes/resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level.

Deeper analysisAI

CVE-2025-71278 is a vulnerability in XenForo versions prior to 2.3.5 that allows OAuth2 client applications to request unauthorized scopes, violating the principle of incorrect authorization (CWE-863). This issue affects any XenForo 2.3 deployment utilizing OAuth2 clients, enabling those clients to potentially access resources beyond their intended authorization levels. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An attacker with low privileges, such as a registered user able to register or control an OAuth2 client application, can exploit this vulnerability over the network without user interaction. By requesting excessive scopes during the OAuth2 authorization process, the attacker could gain elevated access to user data, administrative functions, or other protected resources, surpassing the permissions originally granted by the resource owner.

Advisories from VulnCheck and the official XenForo community announcement recommend upgrading to XenForo 2.3.5, which includes a security fix addressing the unauthorized scope requests in OAuth2 clients. Affected customers using OAuth2 integrations should apply this patch promptly to prevent exploitation.