CVE-2025-71281

Description

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:* - VULNERABLE

XenForo < 2.3.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Conceptual PoC for XenForo Template Method Call Bypass -->
<!-- This payload attempts to invoke a restricted method using a loose prefix match -->

{xf:property var="{$xf.visitor.getUserData()}"}

<!-- Analysis: If the filter checks for 'get' as a prefix, 'getUserData' might be allowed.
If 'getUserData' is a sensitive method leading to RCE, the bypass is successful.
Actual exploitation requires knowledge of the internal class structure and available methods. -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71281
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71281
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71281/
[4] VulDB https://vuldb.com/cve/CVE-2025-71281
[5] https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass
[6] https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71281", "sourceIdentifier": "[email protected]", "published": "2026-04-01T01:16:40.590", "lastModified": "2026-04-01T18:52:54.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations."}, {"lang": "es", "value": "XenForo anterior a 2.3.7 no restringe adecuadamente los métodos invocables desde dentro de las plantillas. Se utilizó una coincidencia de prefijo laxa en lugar de una coincidencia de primera palabra más estricta para los métodos accesibles a través de retrollamadas y llamadas a métodos variables en las plantillas, lo que podría permitir invocaciones de métodos no autorizadas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.7", "matchCriteriaId": "5ADDC458-D5EB-4B70-9EE7-93C78E81EDBD"}]}]}], "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "source": "[email protected]", "tags": ["Release Notes"]}]}}