CVE-2025-55730
Published: 09 September 2025
Summary
CVE-2025-55730 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Xwiki (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the XWiki Remote Macros extension to version 1.26.5, which fixes the improper escaping of the classes parameter leading to XWiki syntax injection and RCE.
Mandates validation of user-supplied inputs like the classes parameter in the Confluence Paste Code Macro to block malicious XWiki syntax injection.
Enforces filtering and proper encoding of outputs, such as the unescaped title/classes parameter inserted into XWiki syntax, to prevent injection attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unsanitized XWiki syntax injection in a public-facing wiki macro, matching exploitation of public-facing applications.
NVD Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for…
more
any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
Deeper analysisAI
CVE-2025-55730 is a remote code execution vulnerability in the XWiki Remote Macros extension, specifically affecting the Confluence Paste Code Macro. This extension provides XWiki rendering macros for migrating content from Confluence. The issue arises from missing escaping of the title parameter, where the classes parameter is inserted into XWiki syntax without proper sanitization, enabling XWiki syntax injection. It impacts versions from 1.0 up to but not including 1.26.5 and is rated with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), linked to CWE-116 (Improper Encoding or Escaping of Output).
Any user with edit permissions on a page can exploit this vulnerability remotely without authentication, privileges beyond editing, or user interaction. By injecting malicious XWiki syntax via the classes parameter in the Confluence Paste Code Macro, attackers can achieve arbitrary remote code execution on the XWiki server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts due to the changed scope.
The fix is available in version 1.26.5 of XWiki Remote Macros, which addresses the escaping issue. Security practitioners should upgrade immediately, as detailed in the GitHub security advisory (GHSA-5w8v-h22g-j2mp), the fixing commit (049716df415aaf00938a91d618d382777820d2af), the vulnerable code location, and XWiki JIRA ticket XWIKI-20449.
Details
- CWE(s)