xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro
Description
Summary
The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro's rights. Therefore, it is vulnerable to XWiki syntax injection via the included page's title and content, allowing remote code execution for any user who can edit a page.
Details
The title of the included page isn't escaped in ExcerptInclude.xml#L277. Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro's content such that it is executed with the macro's rights.
### PoC 1. As a user without script or programming right, create a page named Exploit. 2. In the edit screen, change the title to {{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}. 3. Set the content to `` {{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}} {{excerpt}} {{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}} {{/excerpt}} ``
- Save and view the page.
- If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.
Impact
Remote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xwiki.pro:xwiki-pro-macrosMaven | >= 1.13, < 1.14.5 | 1.14.5 |
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing escaping of the included page title in ExcerptInclude.xml#L277 and execution of excerpt content with the macro's rights allows XWiki syntax injection."
Attack vector
An attacker who can edit a page creates a page whose title contains XWiki syntax such as `{{async}}{{groovy}}...{{/groovy}}{{/async}}`. When the `excerpt-include` macro includes that page, the unescaped title is injected into the output and executed as XWiki syntax. Similarly, the excerpt content is rendered and executed with the macro's rights, enabling remote code execution [CWE-95] [ref_id=1].
Affected code
The vulnerability is in `ExcerptInclude.xml` at line 277, where the title of the included page is not escaped before being output. Additionally, the excerpt macro's content is rendered to XWiki syntax and executed with the macro's rights, allowing injection of arbitrary XWiki syntax.
What the fix does
The advisory does not include a published patch. The fix would need to escape the page title at `ExcerptInclude.xml#L277` before output and ensure that excerpt content is not executed with the macro's rights. Until a fix is applied, users should restrict edit permissions to trusted users.
Preconditions
- authThe attacker must have the ability to create or edit a page in the XWiki instance.
- inputThe attacker must be able to set the page title and content to arbitrary XWiki syntax.
Reproduction
1. As a user without script or programming right, create a page named `Exploit`. 2. In the edit screen, change the title to `{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}`. 3. Set the content to: ``` {{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}
{{excerpt}} {{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}} {{/excerpt}} ``` 4. Save and view the page. 5. If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.