CVE-2025-47916

An unauthenticated attacker sends a crafted HTTP request to the themeeditor.php endpoint, invoking the customCss() method [ref_id=1]. The attacker supplies a malicious template string in the "content" parameter, which is passed to Theme::makeProcessFunction() at line 368 of /applications/core/modules/front/system/themeeditor.php [ref_id=1]. Because the template engine evaluates the input, the attacker can inject arbitrary PHP code that executes on the server. No authentication or prior access is required, making this a remotely exploitable unauthenticated RCE [ref_id=1].

The vulnerability is located in /applications/core/modules/front/system/themeeditor.php, specifically in the IPS\core\modules\front\system\themeeditor::customCss() method at line 365-376 [ref_id=1]. The critical line is 368, where the unsanitized "content" request parameter is passed to Theme::makeProcessFunction() [ref_id=1].

The advisory states that the solution is to upgrade to Invision Community version 5.0.7 or later [ref_id=1]. No patch diff is provided in the bundle, but the vendor released version 5.0.7 on 12 May 2025 to address this issue [ref_id=1]. The fix presumably restricts access to the customCss() method to authenticated users only, or sanitizes/validates the input before passing it to the template engine, preventing unauthenticated template code evaluation.

A proof of concept is available at https://karmainsecurity.com/pocs/CVE-2025-47916.php [ref_id=1]. The reproduction steps involve sending a crafted HTTP request to the themeeditor.php endpoint with a malicious template string in the "content" parameter to trigger arbitrary PHP code execution via the template engine.