CVE-2025-47916 Scanner

The Invision Community platform, a popular community management and forum solution, suffers from a critical security flaw in versions 5.0.0 through 5.0.6 that allows unauthenticated Remote Code Execution (RCE). Identified as CVE-2025-47916, this vulnerability stems from a flaw in the themeeditor controller (/applications/core/modules/front/system/themeeditor.php).

The protected customCss method within this controller is accessible to unauthenticated users and processes the content parameter using Theme::makeProcessFunction(). This method dangerously evaluates user-controlled input in the templating engine, enabling attackers to execute arbitrary PHP code.

A successful exploit can fully compromise the server, exfiltrate sensitive data, or pivot to other systems. The issue is patched in version 5.0.7.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-47916
• https://karmainsecurity.com/pocs/CVE-2025-47916.php
• https://invisioncommunity.com/release-notes-v5/507-r41/
• https://karmainsecurity.com/KIS-2025-02
• http://seclists.org/fulldisclosure/2025/May/4