Summaryinfo

A vulnerability, which was classified as problematic, has been found in XenForo up to 2.3.6. The impacted element is an unknown function of the component User Information Handler. Performing a manipulation results in information disclosure. This vulnerability is reported as CVE-2025-71280. The attack requires a local approach. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in XenForo up to 2.3.6. This affects an unknown functionality of the component User Information Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

XenForo before 2.3.7 allows information disclosure via local account page caching on shared systems. On systems where multiple users share a browser or machine, cached account pages could expose sensitive user information to other local users.

The weakness was disclosed by Jai Niresh J. The advisory is shared at xenforo.com. This vulnerability is uniquely identified as CVE-2025-71280 since 04/01/2026. The exploitability is told to be easy. An attack has to be approached locally. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 2.3.7 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• XenForo

Version

• 2.3.0
• 2.3.1
• 2.3.2
• 2.3.3
• 2.3.4
• 2.3.5
• 2.3.6

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion