CVE-2025-54125
published 2025-08-06CVE-2025-54125: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old…
PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.21%
64.6th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 1.1 < 16.4.7 | 16.4.7 |
| xwiki | xwiki | >= 16.5.0 < 16.10.5 | 16.10.5 |
| xwiki | xwiki | 17.0.0 – 17.1.0 | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/bin/view/XWiki/{{username}}?xpage=xml
url/xwiki/bin/view/XWiki/{{username}}?xpage=xml
- →HTTP GET request to XWiki XML view endpoint matching status 200, content-type text/xml, and XML document structure tags in body indicates exploitation attempt of CVE-2025-54125.
- →Shodan/FOFA fingerprint for XWiki instances: look for HTML attribute 'data-xwiki-reference' in page body to identify exposed targets.
- →Monitor HTTP access logs for unauthenticated GET requests containing the query parameter '?xpage=xml' targeting paths under /bin/view/XWiki/ or /xwiki/bin/view/XWiki/. ↗
- →This vulnerability exposes sensitive information (passwords, emails) stored in custom document fields not named 'password' or 'email' via the xml.vm template; look for sensitive field values in XML export responses. ↗
- ·The vulnerability only affects XWiki Platform Legacy Old Core and Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. Fixed in 16.4.7, 16.10.5, and 17.2.0-rc-1. ↗
- ·Workaround: deleting templates/xml.vm from the deployed WAR disables the XML export entirely; no XWiki feature depends on it. ↗
- ·The information disclosure specifically affects custom fields NOT named 'password' or 'email' — fields with those exact names are already protected, but semantically equivalent custom fields are exposed. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
osv·2025-08-05
CVE-2025-54125 [HIGH] XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
### Impact
The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending `?xpage=xml` to the URL includes password and email properties stored on a document that aren't named `password` or `email`. This allows any user to obtain the salted and hashed user account validation or password reset token. As those tokens are randomly generated strings, the immediate impact of this should be low. The user's password and email itself aren't exposed as those fields are named `password` and `email` and thus aren't affected. However, depending on how the wiki is used, there could be extensions or custom code that store passwords in plain text in such password properties
GHSA
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
ghsa·2025-08-05
CVE-2025-54125 [HIGH] CWE-359 XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
### Impact
The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending `?xpage=xml` to the URL includes password and email properties stored on a document that aren't named `password` or `email`. This allows any user to obtain the salted and hashed user account validation or password reset token. As those tokens are randomly generated strings, the immediate impact of this should be low. The user's password and email itself aren't exposed as those fields are named `password` and `email` and thus aren't affected. However, depending on how the wiki is used, there could be extensions or custom code that store passwords in plain text in such password properties
VulnCheck
xwiki xwiki Exposure of Private Personal Information to an Unauthorized Actor
vulncheck·2025·CVSS 8.7
CVE-2025-54125 [HIGH] xwiki xwiki Exposure of Private Personal Information to an Unauthorized Actor
xwiki xwiki Exposure of Private Personal Information to an Unauthorized Actor
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML expor
No detection rules found.
Nuclei
XWiki XML View - Sensitive Information Exposure
nuclei·CVSS 8.7
CVE-2025-54125 [HIGH] XWiki XML View - Sensitive Information Exposure
XWiki XML View - Sensitive Information Exposure
A vulnerability in XWiki's XML view functionality exposes sensitive information such as passwords and email addresses that are stored in custom fields not explicitly named as password or email. This information disclosure occurs when accessing user profiles with the xml.vm template.
Template:
id: CVE-2025-54125
info:
name: XWiki XML View - Sensitive Information Exposure
author: ritikchaddha
severity: high
description: |
A vulnerability in XWiki's XML view functionality exposes sensitive information such as passwords and email addresses that are stored in custom fields not explicitly named as password or email. This information disclosure occurs when accessing user profiles with the xml.vm template.
impact: |
Unauthenticated attackers can
No writeups or analysis indexed.
2025-08-06
Published
Exploited in the wild