Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-47916 PoC — Invision Community 安全漏洞

Source
https://github.com/Web3-Serializer/CVE-2025-47916
Associated Vulnerability
Title:Invision Community 安全漏洞 (CVE-2025-47916)
Description:Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
Description
Proof‑of‑concept description for CVE‑2025‑47916, a Remote Code Execution vulnerability affecting Invision Community 5.0.0–5.0.6 via unsafe template processing in the "customCss()" method.
Readme
# CVE-2025-47916 - Invision Community Remote Code Execution (RCE) Vulnerability

## About

This repository provides a proof‑of‑concept description for
**CVE‑2025‑47916**, a Remote Code Execution vulnerability affecting
Invision Community versions **5.0.0 through 5.0.6**. The issue stems
from improper handling of user-supplied input within the `customCss()`
method, allowing unauthenticated attackers to execute crafted template
expressions.

## Affected Versions

-   All versions from **5.0.0** to **5.0.6**

## Description

The vulnerability resides in the
`IPS\core\modules\front\system\themeeditor::customCss()` method inside:

    /applications/core/modules/front/system/themeeditor.php

The method can be called without authentication and passes the `content`
request parameter to `Theme::makeProcessFunction()`. Since the value is
processed through the template engine, specially crafted input may lead
to **arbitrary PHP code execution**. This enables remote,
unauthenticated attackers to achieve full code execution within the
Invision Community environment.

## CLI Usage

    usage: main.py [options] target

    positional arguments:
      target                Target URL

    optional arguments:
      -p, --proxy PROXY     Proxy server to route requests
      -c, --command CMD     Single command to process (for testing output handling)
      -t, --test            Perform a non-intrusive vulnerability check

## Solution

Update to **Invision Community 5.0.7** or later, where the issue has
been resolved.

## Credits

Vulnerability discovered by **Egidio Romano**.

## References

-   https://invisioncommunity.com/release-notes-v5/507-r41/
-   CVE entry
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47916
-   Karma In Security Advisory:
    https://karmainsecurity.com/KIS-2025-02
File Snapshot

 [4.0K]  /data/pocs/41bdce007b8bb5a460d5b39b3e9ef64e32c3b5de
├── [4.0K]  main.py
└── [1.8K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →