CVE-2025-32429
published 2025-07-24CVE-2025-32429: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.41%
99.7th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | 17.0.0 – 17.2.2 | — |
| xwiki | xwiki | >= 9.4 < 16.10.6 | 16.10.6 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected↗
path/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=↗
- →HTTP 500 response containing all three strings — 'Exception', 'org.xwiki.livedata.LiveDataException', and 'HqlQueryScriptService' — in the body, combined with content-type text/javascript, indicates successful SQL injection trigger via the sort parameter. ↗
- →A status code of 500 returned from the liveData REST endpoint when a crafted sort value is supplied is a strong indicator of exploitation attempt. ↗
- →Shodan/FOFA fingerprint for XWiki instances: search for HTML attribute 'data-xwiki-reference' to identify exposed targets. ↗
- →Monitor GET requests to the liveData REST endpoint where the 'sort' parameter contains SQL metacharacters or keywords such as SELECT, SLEEP, UNION, OR, --, or URL-encoded equivalents. ↗
- ·The vulnerability is unauthenticated (PR:N) per the CVSS vector, meaning no login is required to exploit the sort parameter injection via the REST endpoint. ↗
- ·The injection point is the ORDER BY clause, not a WHERE clause — standard boolean-based SQLi payloads may not work; time-based and error-based techniques are the primary exploitation vectors. ↗
- ·Affected versions span two release trains: 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2. Fixed in 16.10.6 and 17.3.0-rc-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
osv·2025-07-24
CVE-2025-32429 [CRITICAL] XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
### Impact
It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY value.
One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation).
### Patches
This has been patched in 17.3.0-rc-1, 16.10.6.
### Workarounds
There is no known workaround, other than upgrading XWiki.
### References
https://jira.xwiki.org/browse/XWIKI-23093
### For m
GHSA
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
ghsa·2025-07-24
CVE-2025-32429 [CRITICAL] CWE-89 XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
### Impact
It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY value.
One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation).
### Patches
This has been patched in 17.3.0-rc-1, 16.10.6.
### Workarounds
There is no known workaround, other than upgrading XWiki.
### References
https://jira.xwiki.org/browse/XWIKI-23093
### For m
VulnCheck
xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-32429 [CRITICAL] xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
xwiki xwiki Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Affected: xwiki xwiki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-32429&date=2025-11-03; https://app.crowdsec.net/cti/cve-explorer/CV
No detection rules found.
Exploit-DB
XWiki 14 - SQL Injection via getdeleteddocuments.vm
exploitdb·2025-07-28·CVSS 9.3
CVE-2025-32429 [CRITICAL] XWiki 14 - SQL Injection via getdeleteddocuments.vm
XWiki 14 - SQL Injection via getdeleteddocuments.vm
---
# Exploit Title: XWiki 14 - SQL Injection via getdeleteddocuments.vm
# Google Dork: N/A
# Date: 28 July 2025
# Exploit Author: Byte Reaper
# LinkedIn: N/A
# Vendor Homepage: https://www.xwiki.org
# Software Link: https://www.xwiki.org
# Version: XWiki Platform ≤ 14.x
# Tested on: XWiki Platform ≤ 14.x
# CVE: CVE-2025-32429
## Vulnerability Description
A blind SQL Injection vulnerability exists in the XWiki Platform’s `getdeleteddocuments.vm` template, specifically via the `sort` parameter. The vulnerability can be exploited by sending a crafted payload to the following REST endpoint:
```
/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=
```
An attacker can inject arbitrary SQL stat
Nuclei
XWiki Platform - SQL Injection
nuclei·CVSS 9.3
CVE-2025-32429 [CRITICAL] XWiki Platform - SQL Injection
XWiki Platform - SQL Injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
Template:
id: CVE-2025-32429
info:
name: XWiki Platform - SQL Injection
author: ritikchaddha
severity: critical
description: |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
impact: |
Authen
2025-07-24
Published
Exploited in the wild