Cyber Resilience

CVE-2025-32974

Critical

Published: 30 April 2025

Published
30 April 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0053 67.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32974 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki, a generic wiki platform, contains a flaw in its required rights analysis mechanism that fails to account for TextArea properties using the default content type. The issue affects versions from 15.9-rc-1 through 15.10.7 and from 16.0.0-rc-1 through 16.1.x, where the editor warning introduced in 15.9 for script macros that could escalate privileges does not inspect these properties, allowing hidden malicious content to persist on pages.

An attacker with standard page editing rights can place executable scripts inside the overlooked TextArea fields. When a user possessing script, admin, or programming rights later edits the same page, the scripts execute in that elevated context, enabling full impact on the confidentiality, integrity, and availability of the XWiki instance.

The official XWiki security advisory and the linked GitHub commit indicate that the vulnerability is resolved by upgrading to 15.10.8 or 16.2.0, which extend the rights analysis to cover the previously omitted TextArea cases. The associated Jira ticket XWIKI-22002 provides additional technical detail on the fix.

EPSS scores rose from a low baseline to a peak of 0.0138, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9…

more

when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
15.9 — 15.10.8 · 16.0.0 — 16.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References