CVE-2025-71281

Published Apr 1, 2026

Last updated 15 hours ago

CVSS high 8.7

Overview

Description
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
xenforo

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-94

Social media

Hype score
Not currently trending

  1. CVE-2025-71281 XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for metho… https://t.co/BczNAj74s1

    @CVEnew

    1 Apr 2026

    139 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚡ New CVE Alert: CVE-2025-71281 📊 Severity: 8.8 🚨 Risk Level: High 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/yOAAAaD1ti #CVE-2025-71281 #CVE #High #CyberSecurity #InfoSec https://t.co/xnYmzPLnvw

    @CVEarity

    1 Apr 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🟠 CVE-2025-71281 - High XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through cal... https://t.co/2GbfEPgQcg https://t.co/ZKH4cNCcKO

    @TheHackerWire

    1 Apr 2026

    140 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-71281: HIGH] XenForo < 2.3.7 has a security issue allowing unauthorized method invocations in templates due to loose prefix match use, not strict first-word match. 🔒 #cybersecurity#cve,CVE-2025-71281,#cybersecurity https://t.co/B9AiBg9CwX

    @CveFindCom

    1 Apr 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting (XSS) related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox.CVE-2026-35055
  2. XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.CVE-2026-35056
  3. XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting (XSS) in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content.CVE-2026-35057
  4. XenForo before 2.3.9 is vulnerable to stored cross-site scripting (XSS) related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content.CVE-2026-35054
  5. XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.CVE-2025-71279

References

Sources include official advisories and independent security research.