Platform
php
Component
xenforo
Fixed in
2.3.7
CVE-2025-71280 describes an Information Disclosure vulnerability discovered in XenForo. This flaw allows sensitive user information to be exposed on shared systems where multiple users access XenForo through a single browser or machine. The vulnerability affects versions 2.3.0 through 2.3.7 and has been resolved in version 2.3.7.
The primary impact of CVE-2025-71280 is the potential exposure of sensitive user data. In environments where multiple users share a computer or browser, a malicious or even unintentional user could access cached account pages belonging to other users. This could reveal personally identifiable information (PII) such as usernames, email addresses, and potentially other profile details stored within XenForo. The risk is amplified in shared hosting environments or public computer labs where user isolation is not strictly enforced. While not a direct remote code execution vulnerability, the information disclosed could be used in conjunction with other attacks to compromise user accounts or gain unauthorized access to XenForo resources.
CVE-2025-71280 was publicly disclosed on 2026-04-01. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is limited to local access scenarios, reducing the likelihood of widespread exploitation. The EPSS score is likely low, reflecting the limited attack vector and potential for remote exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-71280 is to upgrade XenForo to version 2.3.7 or later. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing stricter browser isolation measures. This could involve educating users about the risks of sharing browsers or machines, or deploying browser virtualization technologies. While not a direct fix, clearing browser cache frequently can reduce the window of opportunity for an attacker to exploit this vulnerability. After upgrading, verify the fix by logging in as a test user and confirming that their account page is not accessible to other users logged into the same machine.
Update XenForo to version 2.3.7 or later. This version fixes the local account page caching vulnerability that could expose sensitive information on shared systems.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-71280 is a vulnerability in XenForo versions 2.3.0 through 2.3.7 that allows sensitive user information to be exposed on shared systems through cached account pages.
You are affected if you are running XenForo version 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, or 2.3.7. Upgrade to version 2.3.7 or later to mitigate the risk.
Upgrade XenForo to version 2.3.7 or later. If an immediate upgrade is not possible, implement stricter browser isolation measures and clear browser caches frequently.
There are currently no known active exploits for CVE-2025-71280, but it's crucial to apply the patch to prevent potential future exploitation.
Refer to the official XenForo security advisory for detailed information and instructions: [https://xenforo.com/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.