Invisioncommunity < 5.0.7 - Remote Code Execution
Title source: ruleDescription
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
Exploits (4)
exploitdb
WORKING POC
by Egidio Romano · phpremotemultiple
https://www.exploit-db.com/exploits/52294
github
WORKING POC
1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-47916
nomisec
WORKING POC
1 stars
by Web3-Serializer · remote
https://github.com/Web3-Serializer/CVE-2025-47916
metasploit
WORKING POC
EXCELLENT
by Egidio Romano (EgiX), Valentin Lobstein · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/invision_customcss_rce.rb
Nuclei Templates (1)
Invision Community <=5.0.6 Unauthenticated RCE via Template Injection
CRITICALVERIFIEDby EgiX,iamnoooob,pdresearch
Shodan:
Set-Cookie: ips4_
FOFA:
body="Invision" && body="ips4"
Scores
CVSS v3
10.0
EPSS
0.9073
EPSS Percentile
99.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lab Environment
Details
VulnCheck KEV
2025-06-06
CWE
CWE-1336
CWE-94
Status
published
Products (1)
invisioncommunity/invisioncommunity
5.0.0 - 5.0.7
Published
May 16, 2025
Tracked Since
Feb 18, 2026