CVE-2025-32973
published 2025-04-30CVE-2025-32973: XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before…
PriorityP348critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.34%
25.6th percentile
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 15.9 < 15.10.12 | 15.10.12 |
| xwiki | xwiki | >= 16.0.0 < 16.4.3 | 16.4.3 |
| xwiki | xwiki | >= 16.5.0 < 16.8.0 | 16.8.0 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
osv·2025-04-29
CVE-2025-32973 [CRITICAL] org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
### Impact
When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an `XWiki.ComponentClass`, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.
To reproduce the problem, as a user without programming right, add an object of type `XWiki.ComponentClass` to any page and then edit the page as a user with programming right. There should
GHSA
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
ghsa·2025-04-29
CVE-2025-32973 [CRITICAL] CWE-862 org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
### Impact
When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an `XWiki.ComponentClass`, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.
To reproduce the problem, as a user without programming right, add an object of type `XWiki.ComponentClass` to any page and then edit the page as a user with programming right. There should
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-30
Published