cbcvebase.
CVE-2025-32429
published 2025-07-24

CVE-2025-32429: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.41%
99.7th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Affected

4 ranges
VendorProductVersion rangeFixed in
xwikixwiki17.0.0 – 17.2.2
xwikixwiki>= 9.4 < 16.10.616.10.6
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected
path/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=
filenamegetdeleteddocuments.vm
command,(select * from (select(sleep(5)))a)
command%2c(select%20*%20from%20(select(sleep(5)))a)
  • HTTP 500 response containing all three strings — 'Exception', 'org.xwiki.livedata.LiveDataException', and 'HqlQueryScriptService' — in the body, combined with content-type text/javascript, indicates successful SQL injection trigger via the sort parameter.
  • A status code of 500 returned from the liveData REST endpoint when a crafted sort value is supplied is a strong indicator of exploitation attempt.
  • Shodan/FOFA fingerprint for XWiki instances: search for HTML attribute 'data-xwiki-reference' to identify exposed targets.
  • Monitor GET requests to the liveData REST endpoint where the 'sort' parameter contains SQL metacharacters or keywords such as SELECT, SLEEP, UNION, OR, --, or URL-encoded equivalents.
  • ·The vulnerability is unauthenticated (PR:N) per the CVSS vector, meaning no login is required to exploit the sort parameter injection via the REST endpoint.
  • ·The injection point is the ORDER BY clause, not a WHERE clause — standard boolean-based SQLi payloads may not work; time-based and error-based techniques are the primary exploitation vectors.
  • ·Affected versions span two release trains: 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2. Fixed in 16.10.6 and 17.3.0-rc-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.