Listen to this Post
XWiki allows remote code execution through insecure handling of default values in wiki macro parameters. The vulnerability occurs when a wiki macro parameter permits wiki syntax, and its default value is executed with the rights of the document’s author rather than the macro’s creator. Attackers can exploit this by overriding built-in macros (e.g., childrenmacro) used in privileged pages (e.g., XWiki.ChildrenMacro), enabling arbitrary script execution (Groovy, Python, Velocity). This grants full control over the XWiki instance, compromising confidentiality, integrity, and availability.
DailyCVE Form:
Platform: XWiki
Version: 11.10.11-12.0, 12.6.3-12.7, 12.8-rc-1-16.4.7, 16.5.0-rc-1-16.10.3, 17.0.0-rc-1
Vulnerability: RCE via macro defaults
Severity: Critical
Date: 2025-06-13
Prediction: Patch expected by 2025-06-20
What Undercode Say:
Check XWiki version:
curl -I http://xwiki-host/xwiki/bin/Main/WebHome
Exploit PoC (Groovy):
{{children macro="script" language="groovy"}}
println "RCE achieved"
{{/children}}
How Exploit:
1. Attacker edits a page with macro usage.
2. Overrides default macro parameter with malicious script.
3. Script executes with programming rights.
Protection from this CVE:
- Upgrade to XWiki 16.4.7, 16.10.3, or 17.0.0.
- Restrict edit rights on privileged pages.
Impact:
- Full system compromise (RCE).
- Data theft/modification.
- Service disruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
