AI description
CVE-2025-71281 describes a broken access control vulnerability found in XenForo versions prior to 2.3.7. The flaw stems from the platform's inadequate restriction of methods callable from within templates. Instead of employing a strict first-word match for methods accessible via callbacks and variable method calls, a looser prefix match was utilized. This improper restriction could potentially allow for unauthorized method invocations. Attackers with template access could exploit this vulnerability to call methods that they should not have access to, potentially leading to unauthorized actions or data access.
- Description
- XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
- Source
- disclosure@vulncheck.com
- NVD status
- Analyzed
- Products
- xenforo
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-94
- Hype score
- Not currently trending
CVE-2025-71281 XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for metho… https://t.co/BczNAj74s1
@CVEnew
1 Apr 2026
139 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚡ New CVE Alert: CVE-2025-71281 📊 Severity: 8.8 🚨 Risk Level: High 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/yOAAAaD1ti #CVE-2025-71281 #CVE #High #CyberSecurity #InfoSec https://t.co/xnYmzPLnvw
@CVEarity
1 Apr 2026
101 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🟠 CVE-2025-71281 - High XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through cal... https://t.co/2GbfEPgQcg https://t.co/ZKH4cNCcKO
@TheHackerWire
1 Apr 2026
140 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-71281: HIGH] XenForo < 2.3.7 has a security issue allowing unauthorized method invocations in templates due to loose prefix match use, not strict first-word match. 🔒 #cybersecurity#cve,CVE-2025-71281,#cybersecurity https://t.co/B9AiBg9CwX
@CveFindCom
1 Apr 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xenforo:xenforo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5ADDC458-D5EB-4B70-9EE7-93C78E81EDBD",
"versionEndExcluding": "2.3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]