Xenforo · Xenforo · CVE-2025-71281
Name of the Vulnerable Software and Affected Versions
XenForo versions prior to 2.3.7
Description
XenForo does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations.
Recommendations
Update to version 2.3.7 or later.