Listen to this Post
How the CVE Works
The vulnerability arises when an attacker with edit rights but no script/programming rights creates an XClass definition in XWiki. If a privileged user (with script, admin, or programming rights) later edits the same document, malicious code embedded in custom display scripts, computed properties, or database list queries executes with the victim’s elevated permissions. Prior to XWiki 15.9, no warnings were shown for dangerous properties, making exploitation silent. The flaw bypasses security checks by leveraging improper validation of XClass properties during document edits.
DailyCVE Form
Platform: XWiki
Version: <15.10.16, 16.0.0-16.4.6, 16.5.0-16.10.1
Vulnerability: Code Execution
Severity: Critical
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say
Check XWiki version xwiki-version --status List vulnerable XClass properties xwiki-audit --xclass --risk high Mitigation command (pre-patch) xwiki-config --disable-xclass-edit --force
How Exploit
1. Attacker crafts malicious XClass.
2. Privileged user edits document.
3. Code executes as victim.
Protection from this CVE
- Upgrade to 15.10.16/16.4.7/16.10.2.
- Restrict edit rights.
- Audit XClass properties.
Impact
- Privilege escalation.
- Remote code execution.
- Silent exploitation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
