Listen to this Post
How the CVE Works
XWiki versions 15.9-rc-1 to 16.4.6, 16.5.0-rc-1 to 16.10.2, and 17.0.0-rc-1 are vulnerable due to incomplete rights validation for macros. The system fails to properly analyze non-lowercase macro parameters and certain fields like “source” parameters in content/context macros. Attackers can inject malicious scripts (e.g., Groovy/Python) into pages. When a privileged user edits the page, the scripts execute, leading to remote code execution (RCE).
DailyCVE Form
Platform: XWiki
Version: 15.9-rc-1 – 16.4.6
Vulnerability: Incomplete macro rights
Severity: Critical
Date: 2025-06-13
Prediction: Patch expected by 2025-06-20
What Undercode Say
Check XWiki version
curl -s http://xwiki-host/version | grep "XWiki"
Exploit PoC (hypothetical)
POST /editpage HTTP/1.1
Content-Type: text/xwiki
...
{macro:Script}{groovy}malicious-code{/groovy}{/macro}
How Exploit
- Attacker injects malicious macro via crafted page edit.
2. Privileged user edits page, triggering script execution.
3. RCE achieved under privileged context.
Protection from this CVE
- Upgrade to XWiki 16.4.7/16.10.3/17.0.0.
- Restrict edit rights for untrusted users.
Impact
- Remote Code Execution (RCE).
- Privilege escalation via macro abuse.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
