CVE-2025-23025

Critical

Published: 14 January 2025

Published

14 January 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0219 84.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).

Security Summary

CVE-2025-23025 is a high-severity vulnerability (CVSS 3.1 score of 9.0) affecting the Realtime WYSIWYG Editor extension in the XWiki Platform, a generic wiki platform providing runtime services for applications. The issue, linked to CWE-862 (Missing Authorization), arises in versions where the extension was experimental and not recommended for use; it became enabled by default starting with XWiki 16.9.0. A user with only edit rights can exploit this during realtime collaborative editing sessions by inserting script rendering macros.

An attacker requires low-privilege edit access (PR:L) and must interact with a realtime editing session (UI:R) where other participants possess script or programming rights. By joining such a session—either with existing higher-privileged users or anticipating their arrival—the low-privileged user can insert malicious script macros. These macros execute in the context of the higher-privileged users' sessions (scope changed, S:C), potentially allowing the attacker to escalate privileges, achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), and gain additional access rights across network-accessible (AV:N) instances with low complexity (AC:L).

Advisories recommend upgrading to patched versions: XWiki 15.10.2, 16.4.1, or 16.6.0-rc-1. For those unable to upgrade, mitigations include disabling the "xwiki-realtime" CKEditor plugin via the WYSIWYG editor administration section or uninstalling the Realtime WYSIWYG Editor extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui). Details are available in the XWiki GitHub security advisory (GHSA-rmm7-r7wr-xpfg), JIRA ticket XWIKI-21949, and extension documentation.

Details

CWE(s): CWE-862

Affected Products

xwiki

16.5.0 · 13.9 — 15.10.12 · 16.0.0 — 16.4.1

References

https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection
Product · security-advisories@github.com
https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor
Product · security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
Vendor Advisory · security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21949
Issue Tracking, Vendor Advisory · security-advisories@github.com