EUVD-2025-18284
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.
Analysis
Critical privilege escalation vulnerability in XWiki that allows any user with page edit rights to execute arbitrary code (Groovy, Python, Velocity) with programming-level privileges by creating malicious wiki macros. An attacker can exploit wiki macro parameter defaults to inject code into high-privilege pages like XWiki.ChildrenMacro, achieving full XWiki installation compromise. The vulnerability affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0; patch availability is confirmed across multiple release branches.
Technical Context
XWiki is a Java-based wiki platform that supports extensible macro scripting through multiple languages (Groovy, Python, Velocity). The vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically in how wiki macro parameters with wiki syntax support are evaluated. When a macro parameter's default value contains wiki syntax, it is executed with the document author's rights rather than the macro definition author's rights. This creates a privilege escalation chain: (1) an attacker with edit rights defines a custom wiki macro with a parameter allowing wiki syntax, (2) the attacker sets a malicious default value, (3) when this macro is invoked in a high-privilege document (e.g., XWiki.ChildrenMacro in the XWiki namespace which has programming rights), the default parameter value executes with those elevated rights. The affected product range includes XWiki Community and Enterprise editions across multiple major versions (14.x, 15.x, 16.x, 17.x branches).
Affected Products
XWiki Community and Enterprise editions: versions <16.4.7 (16.4.0-16.4.6), versions <16.10.3 (16.10.0-16.10.2), versions <17.0.0 (all pre-17.0.0 releases). CPE representation: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* (with version constraints as above). The vulnerability is present in any configuration where users with edit rights can create or modify wiki pages, and is most dangerous in installations where user edit rights are delegated to untrusted or semi-trusted users. No specific configuration hardening can fully mitigate without patching, though restricting edit rights reduces attack surface.
Remediation
Immediate patching is required: upgrade to XWiki 16.4.7 or later (for 16.4.x branch), 16.10.3 or later (for 16.10.x branch), or 17.0.0 or later (for 17.x branch). The patch changes macro parameter evaluation logic to execute wiki syntax default values with the wiki macro author's rights (not the invoking document author's rights), eliminating the privilege escalation. For organizations unable to patch immediately: (1) restrict edit page rights to highly trusted users only; (2) audit existing custom wiki macros for suspicious definitions; (3) monitor wiki modification logs for users creating new macros; (4) disable user self-service page editing if feasible; (5) implement network segmentation to limit XWiki installation exposure. Vendor advisory and patches are available through XWiki's official release channels (xwiki.org/download). No known workaround exists that fully protects unpatched systems while maintaining wiki functionality.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today