CVE-2025-23025
Published: 14 January 2025
Summary
CVE-2025-23025 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-15 (Collaborative Computing Devices and Applications).
Deeper analysis
XWiki Platform's Realtime WYSIWYG Editor extension, which became enabled by default starting in version 16.9.0 after previously being experimental, contains an authorization flaw tracked as CVE-2025-23025. A user holding only edit rights can join an active realtime editing session and insert script rendering macros that execute in the context of other participants who possess script or programming rights, enabling privilege escalation. The issue is classified under CWE-862 and carries a CVSS 3.1 score of 9.0.
An attacker with minimal edit access can leverage the realtime session to run arbitrary scripts against higher-privileged users already present or who join later, thereby obtaining elevated rights within the wiki instance. The vulnerability affects XWiki versions prior to the patches released in 15.10.2, 16.4.1, and 16.6.0-rc-1.
Official advisories recommend upgrading to one of the fixed releases. Where upgrades are not feasible, administrators can disable the xwiki-realtime CKEditor plugin through the WYSIWYG editor administration section or uninstall the org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui extension entirely.
The associated EPSS score rose from a low baseline to a peak of 0.0505 on 2025-12-11 before receding to the current value of 0.0295, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0066
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled…
more
by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw (CWE-862) allowing a low-privilege edit user to insert script macros in realtime sessions that execute in the context of higher-privileged users, directly enabling privilege escalation with high C/I/A impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-15 specifically protects collaborative computing applications like realtime WYSIWYG editing by implementing controls to prevent unauthorized actions, such as low-privilege users inserting executable macros that affect higher-privilege participants.
AC-3 enforces approved authorizations for realtime editing sessions, directly addressing the missing authorization that allows edit-only users to insert and execute script macros in the context of script-privileged users.
AC-6 least privilege restricts edit rights from enabling script macro insertion or execution across privilege levels in shared realtime sessions, mitigating escalation risks.