CVE-2025-32974
CRITICALXWiki 15.9-15.10.7 and 16.0.0-16.1.0 - Privilege Escalation via TextArea Default Content Type
Title source: llmDescription
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-22002
Scores
CVSS v3
9.0
EPSS
0.0029
EPSS Percentile
20.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
CWE-116
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-security-requiredrights-default
15.9-rc-1 - 15.10.8Maven
xwiki/xwiki
15.9 - 15.10.8
Published
Apr 30, 2025
Tracked Since
Feb 18, 2026