Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
• Software Link:
• Affected Versions:
All versions from 5.0.0 to 5.0.6.
• Vulnerability Description:
The vulnerability is located in the /applications/core/modules/front/system/themeeditor.php script.
Specifically, into the IPS\core\modules\front\system\themeeditor::customCss() method:
359 /**
360 * Parse Custom CSS so that we can properly handle any
361 * resource tags, etc
362 *
363 * @return void
364 */
365 protected function customCss() : void
366 {
367 $functionName = "css_" . uniqid();
368 Theme::makeProcessFunction( Theme::fixResourceTags( (string) Request::i()->content, 'front' ), $functionName, '', FALSE, TRUE );
369
370 $fqFunc = 'IPS\\Theme\\'. $functionName;
371 $content = Theme::minifyCss( $fqFunc() );
372
373 /* Replace any <fileStore.xxx> tags in the CSS */
374 Output::i()->parseFileObjectUrls( $content );
375 Output::i()->json( [ 'content' => $content ] );
376 }This protected method can be invoked by unauthenticated users and passes the value of the “content” request parameter to the Theme::makeProcessFunction() method at line 368. As a result, the input is processed by the template engine. This behavior can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by supplying crafted template strings.
• Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2025-47916.php
• Solution:
Upgrade to version 5.0.7 or later.
• Disclosure Timeline:
[10/05/2025] – Vendor notified
[12/05/2025] – Version 5.0.7 released
[12/05/2025] – CVE identifier requested
[14/05/2025] – CVE identifier assigned
[14/05/2025] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2025-47916 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.