CVE-2025-23025
📋 TL;DR
In XWiki Platform, users with only edit rights can join realtime editing sessions and insert script rendering macros that execute for users with script/programming rights. This allows privilege escalation where low-privilege users can gain higher access rights. Affects XWiki installations with the experimental Realtime WYSIWYG Editor extension enabled.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Low-privilege user gains administrative access, leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Privilege escalation allowing attackers to modify content, access sensitive information, or install malicious extensions.
If Mitigated
Limited impact if realtime editing is disabled or proper access controls prevent unauthorized users from editing sensitive pages.
🎯 Exploit Status
Exploitation requires a user with edit rights and knowledge of script rendering macros. No public exploit code is known, but the vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.10.2, 16.4.1, or 16.6.0-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 15.10.2, 16.4.1, or 16.6.0-rc-1. 3. Restart the XWiki service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Realtime WYSIWYG Editor plugin
allDisable the xwiki-realtime CKEditor plugin from the WYSIWYG editor administration section.
Navigate to Administration > WYSIWYG Editor > CKEditor Integration > Disable 'xwiki-realtime' plugin
Uninstall Realtime WYSIWYG Editor extension
allRemove the vulnerable extension completely.
Uninstall extension: org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui
🧯 If You Can't Patch
- Disable the realtime WYSIWYG editor plugin immediately
- Restrict edit rights to trusted users only and audit user permissions
🔍 How to Verify
Check if Vulnerable:
Check if XWiki version is below 15.10.2, 16.4.1, or 16.6.0-rc-1 and if the Realtime WYSIWYG Editor extension is installed/enabled.Check Version:
Check XWiki version in Administration > About XWiki or via xwiki.cfg fileVerify Fix Applied:
Verify XWiki version is 15.10.2, 16.4.1, or 16.6.0-rc-1 or higher, and confirm realtime editing functions properly without privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unusual script execution in realtime editing sessions
- Multiple users joining/leaving realtime sessions rapidly
- Privilege escalation attempts in audit logs
Network Indicators:
- Increased traffic to realtime editing endpoints
- Unusual POST requests containing script macros
SIEM Query:
source="xwiki.log" AND ("realtime" OR "script macro") AND ("error" OR "unauthorized" OR "privilege")🔗 References
- https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection
- https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
- https://jira.xwiki.org/browse/XWIKI-21949
