The vulnerability allows attackers to force users to visit arbitrary external URLs by manipulating the getDynamicRedirect() endpoint. The flaw arises because the function lacks proper validation of the redirect target, permitting inputs containing newlines, embedded user credentials, or host mismatches. Because the redirect can point to any domain, users may be exposed to phishing, credential harvesting, or malware without their consent, although it does not grant direct code execution or data exfiltration.

XenForo forum software, specifically all releases before version 2.2.17 and 2.3.1, is affected. Administrators of XenForo installations running 2.2.x below 2.2.17 or 2.3.x below 2.3.1 are vulnerable. The vendor published a patch in the 2.2.17 and 2.3.1 releases, so upgrading to those or later versions resolves the problem.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score below 1% suggests a low probability of exploitation. XenForo has not been listed in the CISA KEV catalog, implying no known widespread exploits yet. Attackers can trigger the redirect by crafting a malicious URL that targets the getDynamicRedirect endpoint, including newline characters or credentials to subvert normal URL parsing. The primary vector is a luring link that a logged‑in or anonymous user clicks, resulting in a client‑side redirect. Because no privilege escalation is required, a broad user base may be affected if the site is widely accessed.