CVE-2025-23025: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-23025) was discovered in XWiki Platform's Realtime WYSIWYG Editor extension. The vulnerability affects versions from 13.9-rc-1 up to, but not including, 15.10.12, 16.4.1, and 16.6.0-rc-1. Note that this extension was experimental and not recommended in the affected versions, though it became enabled by default starting with XWiki 16.9.0. The vulnerability was disclosed on January 14, 2025 (GitHub Advisory).

The vulnerability stems from insufficient authorization controls in the realtime editing session mechanism. It allows users with only edit permissions to execute script rendering macros in a context where other users with higher privileges (script or programming access rights) are present in the same editing session. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 CRITICAL with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

The vulnerability enables privilege escalation where an attacker with basic edit rights can execute arbitrary script macros that run with the privileges of other users in the editing session who have script or programming access rights. This can be exploited to gain unauthorized access rights and potentially compromise the system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.12, 16.4.1, and 16.6.0-rc-1. For users unable to upgrade, there are two workaround options: 1) Disable the realtime WYSIWYG editing by disabling the xwiki-realtime CKEditor plugin from the WYSIWYG editor administration section, or 2) Uninstall the Realtime WYSIWYG Editor extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui) (GitHub Advisory).