#VU125588 Missing Authorization in XWiki platform - CVE-2025-23025
Published: January 14, 2025 / Updated: April 9, 2026
Vulnerability identifier: #VU125588
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-23025
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the realtime WYSIWYG editor when handling realtime editing sessions involving users with script or programming rights. A remote user can insert a script rendering macro into edited content to escalate privileges.
User interaction is required, and exploitation depends on another participant in the same realtime editing session having script or programming rights.
Remediation
Install security update from vendor's website.