cbcvebase.
CVE-2025-54125
published 2025-08-06

CVE-2025-54125: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old…

PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.21%
64.6th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 1.1 < 16.4.716.4.7
xwikixwiki>= 16.5.0 < 16.10.516.10.5
xwikixwiki17.0.0 – 17.1.0
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/bin/view/XWiki/{{username}}?xpage=xml
url/xwiki/bin/view/XWiki/{{username}}?xpage=xml
pathtemplates/xml.vm
other?xpage=xml
  • HTTP GET request to XWiki XML view endpoint matching status 200, content-type text/xml, and XML document structure tags in body indicates exploitation attempt of CVE-2025-54125.
  • Shodan/FOFA fingerprint for XWiki instances: look for HTML attribute 'data-xwiki-reference' in page body to identify exposed targets.
  • Monitor HTTP access logs for unauthenticated GET requests containing the query parameter '?xpage=xml' targeting paths under /bin/view/XWiki/ or /xwiki/bin/view/XWiki/.
  • This vulnerability exposes sensitive information (passwords, emails) stored in custom document fields not named 'password' or 'email' via the xml.vm template; look for sensitive field values in XML export responses.
  • ·The vulnerability only affects XWiki Platform Legacy Old Core and Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. Fixed in 16.4.7, 16.10.5, and 17.2.0-rc-1.
  • ·Workaround: deleting templates/xml.vm from the deployed WAR disables the XML export entirely; no XWiki feature depends on it.
  • ·The information disclosure specifically affects custom fields NOT named 'password' or 'email' — fields with those exact names are already protected, but semantically equivalent custom fields are exposed.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.