CVE-2025-32974
Published: 30 April 2025
Summary
CVE-2025-32974 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki, a generic wiki platform, contains a flaw in its required rights analysis mechanism that fails to account for TextArea properties using the default content type. The issue affects versions from 15.9-rc-1 through 15.10.7 and from 16.0.0-rc-1 through 16.1.x, where the editor warning introduced in 15.9 for script macros that could escalate privileges does not inspect these properties, allowing hidden malicious content to persist on pages.
An attacker with standard page editing rights can place executable scripts inside the overlooked TextArea fields. When a user possessing script, admin, or programming rights later edits the same page, the scripts execute in that elevated context, enabling full impact on the confidentiality, integrity, and availability of the XWiki instance.
The official XWiki security advisory and the linked GitHub commit indicate that the vulnerability is resolved by upgrading to 15.10.8 or 16.2.0, which extend the rights analysis to cover the previously omitted TextArea cases. The associated Jira ticket XWIKI-22002 provides additional technical detail on the fix.
EPSS scores rose from a low baseline to a peak of 0.0138, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12740
Vulnerability details
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9…
more
when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.