XWiki Rendering Macro Exploitation (Pre-13.10.11, <14.10)
CVE-2025-53836 Published on July 15, 2025
XWiki Rendering is vulnerable to RCE attacks when processing nested macros
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.
Vulnerability Analysis
CVE-2025-53836 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-53836. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2025-53836 has been classified to as an AuthZ vulnerability or weakness.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2025-53836 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2025-53836
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-rendering:- Version >= 4.2-milestone-1, < 13.10.11 is affected.
- Version >= 14.0, < 14.4.7 is affected.
- Version >= 14.5, < 14.10 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-53836
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.rendering:xwiki-rendering-transformation-macro | >= 4.2-milestone-1, < 13.10.11 | 13.10.11 |
| maven | org.xwiki.rendering:xwiki-rendering-transformation-macro | >= 14.0, < 14.4.7 | 14.4.7 |
| maven | org.xwiki.rendering:xwiki-rendering-transformation-macro | >= 14.5, < 14.10 | 14.10 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.