CVE-2025-71280
Information Disclosure in XenForo < 2.3.7 via Account Page Caching
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xenforo | xenforo | to 2.3.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows sensitive user information to be disclosed to unauthorized local users due to cached account pages on shared systems. Such unauthorized disclosure of personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal information.
Specifically, the exposure of sensitive information through local caching could violate principles of data confidentiality and privacy mandated by these standards, potentially resulting in legal and regulatory consequences for affected organizations.
Can you explain this vulnerability to me?
CVE-2025-71280 is a medium-severity vulnerability affecting XenForo versions prior to 2.3.7. It involves information disclosure caused by local account page caching on shared systems.
On systems where multiple users share a browser or machine, cached account pages can expose sensitive user information to other local users who should not have access to that data.
This vulnerability is classified under CWE-200, which means it results in exposure of sensitive information to unauthorized actors.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive user information if multiple users share the same browser or machine.
An attacker or unauthorized local user could access cached account pages and view sensitive data belonging to other users.
This could result in privacy breaches, identity exposure, and potential misuse of the disclosed information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves local account page caching on shared systems in XenForo versions prior to 2.3.7, which can expose sensitive user information to other local users sharing the same browser or machine.
Detection would involve checking if the affected XenForo version is in use and verifying if cached account pages are accessible by other local users on the system.
Since the vulnerability is local and related to browser or machine caching, network-based detection commands are not applicable.
Suggested commands to detect the vulnerable version include checking the installed XenForo version, for example:
- Access the XenForo admin control panel and verify the version number.
- If you have shell access, check the version file or use commands like `grep 'version' /path/to/xenforo/config.php` or similar to identify the installed version.
To detect cached account pages exposing sensitive data, manually inspect browser cache or local storage on shared machines for cached XenForo account pages.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade XenForo to version 2.3.7 or later, where this vulnerability has been fixed.
Additionally, on shared systems, ensure that browsers do not cache sensitive account pages or clear browser caches regularly to prevent exposure of cached data to other local users.
Implement user session management best practices, such as logging out after use and avoiding shared browser sessions.