CVE-2025-71281

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass	Third Party Advisory
https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*

History

01 Apr 2026, 18:52

Type	Values Removed	Values Added
Summary		(es) XenForo anterior a 2.3.7 no restringe adecuadamente los métodos invocables desde dentro de las plantillas. Se utilizó una coincidencia de prefijo laxa en lugar de una coincidencia de primera palabra más estricta para los métodos accesibles a través de retrollamadas y llamadas a métodos variables en las plantillas, lo que podría permitir invocaciones de métodos no autorizadas.
First Time		Xenforo Xenforo xenforo
CPE		cpe:2.3:a:xenforo:xenforo::::::::
References	~~() https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass -~~	() https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass - Third Party Advisory
References	~~() https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ -~~	() https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/ - Release Notes

01 Apr 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 01:16

Updated : 2026-04-01 18:52

NVD link : CVE-2025-71281

Mitre link : CVE-2025-71281

CVE.ORG link : CVE-2025-71281

JSON object : View

Products Affected

xenforo

xenforo

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-71281", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-01T01:16:40.590", "references": [{"url": "https://www.vulncheck.com/advisories/xenforo-template-method-call-restriction-bypass", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://xenforo.com/community/threads/xenforo-2-3-7-released-includes-security-fixes.232121/", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations."}, {"lang": "es", "value": "XenForo anterior a 2.3.7 no restringe adecuadamente los m\u00e9todos invocables desde dentro de las plantillas. Se utiliz\u00f3 una coincidencia de prefijo laxa en lugar de una coincidencia de primera palabra m\u00e1s estricta para los m\u00e9todos accesibles a trav\u00e9s de retrollamadas y llamadas a m\u00e9todos variables en las plantillas, lo que podr\u00eda permitir invocaciones de m\u00e9todos no autorizadas."}], "lastModified": "2026-04-01T18:52:54.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5ADDC458-D5EB-4B70-9EE7-93C78E81EDBD", "versionEndExcluding": "2.3.7"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}