CVE-2025-23025
Published: 14 January 2025
Summary
CVE-2025-23025 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-15 (Collaborative Computing Devices and Applications).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-15 specifically protects collaborative computing applications like realtime WYSIWYG editing by implementing controls to prevent unauthorized actions, such as low-privilege users inserting executable macros that affect higher-privilege participants.
AC-3 enforces approved authorizations for realtime editing sessions, directly addressing the missing authorization that allows edit-only users to insert and execute script macros in the context of script-privileged users.
AC-6 least privilege restricts edit rights from enabling script macro insertion or execution across privilege levels in shared realtime sessions, mitigating escalation risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw (CWE-862) allowing a low-privilege edit user to insert script macros in realtime sessions that execute in the context of higher-privileged users, directly enabling privilege escalation with high C/I/A impact.
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled…
more
by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).
Deeper analysisAI
CVE-2025-23025 is a high-severity vulnerability (CVSS 3.1 score of 9.0) affecting the Realtime WYSIWYG Editor extension in the XWiki Platform, a generic wiki platform providing runtime services for applications. The issue, linked to CWE-862 (Missing Authorization), arises in versions where the extension was experimental and not recommended for use; it became enabled by default starting with XWiki 16.9.0. A user with only edit rights can exploit this during realtime collaborative editing sessions by inserting script rendering macros.
An attacker requires low-privilege edit access (PR:L) and must interact with a realtime editing session (UI:R) where other participants possess script or programming rights. By joining such a session—either with existing higher-privileged users or anticipating their arrival—the low-privileged user can insert malicious script macros. These macros execute in the context of the higher-privileged users' sessions (scope changed, S:C), potentially allowing the attacker to escalate privileges, achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), and gain additional access rights across network-accessible (AV:N) instances with low complexity (AC:L).
Advisories recommend upgrading to patched versions: XWiki 15.10.2, 16.4.1, or 16.6.0-rc-1. For those unable to upgrade, mitigations include disabling the "xwiki-realtime" CKEditor plugin via the WYSIWYG editor administration section or uninstalling the Realtime WYSIWYG Editor extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui). Details are available in the XWiki GitHub security advisory (GHSA-rmm7-r7wr-xpfg), JIRA ticket XWIKI-21949, and extension documentation.
Details
- CWE(s)