Incorrect Authorization Affecting org.xwiki.rendering:xwiki-rendering-transformation-macro package, versions [4.2-milestone-1,13.10.11)[14.0,14.4.7)[14.5,14.10)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGXWIKIRENDERING-10743086
- published15 Jul 2025
- disclosed14 Jul 2025
- creditRené de Sain
Introduced: 14 Jul 2025
NewCVE-2025-53836 (opens in a new tab)How to fix?
Upgrade org.xwiki.rendering:xwiki-rendering-transformation-macro to version 13.10.11, 14.4.7, 14.10 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Authorization via improper handling of the restricted attribute of the transformation context during the processing of nested macros. An attacker can execute arbitrary code with elevated privileges by crafting malicious macro content that bypasses intended restrictions. This is exploitable with any macro that uses the macro content parser with the transform parameter set to true, such as the cache and chart macros that are bundled in XWiki.
Note: This is only exploitable if an attacker can submit specially crafted macro syntax, e.g., through comments or using the object editor.
Workaround
This vulnerability can be partially mitigated by disabling comments for untrusted users.
Note: Users with edit rights will still be able to add comments via the object editor even if comments have been disabled.
PoC
{{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}}