EUVD-2025-209156
GHSA-gvjw-m4hx-6454
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
Analysis
Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.
Technical Context
XenForo is a PHP-based forum platform that uses a templating engine to render dynamic content. The vulnerability affects the template method invocation mechanism (CWE-94: Improper Control of Generation of Code/Code Injection). The platform's template system permits callbacks and variable method calls to execute PHP methods, but the access control relied on prefix matching rather than strict first-word matching. This loose comparison allows attackers to craft template inputs that match benign method prefixes while actually invoking restricted or dangerous methods. Affected product per CPE is cpe:2.3:a:xenforo:xenforo for all versions prior to 2.3.7. The flaw exists at the template parsing layer where user-controlled template syntax is translated into executable PHP code, creating a code injection surface when combined with insufficient method access controls.
Affected Products
XenForo forum platform versions prior to 2.3.7 are affected, specifically cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*. The vulnerability impacts all deployments running unpatched versions where authenticated users can access template rendering functionality. The official vendor advisory at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ confirms version 2.3.7 as the patched release. Additional technical analysis is available from VulnCheck at https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass providing implementation details of the vulnerability.
Remediation
Vendor-released patch: XenForo 2.3.7. Administrators should immediately upgrade all XenForo installations to version 2.3.7 or later following the vendor's standard update procedures documented in the official security advisory at https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/. The patch implements stricter first-word matching for template method invocations, replacing the vulnerable prefix matching logic. No workarounds are documented; upgrading to the patched version is the only complete remediation. Post-upgrade, administrators should review access logs for suspicious template-related activity and audit user accounts with template modification privileges. Organizations unable to immediately patch should consider restricting user registration and limiting template access to highly trusted administrators until the upgrade can be completed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today