SQL Injection Vulnerability in XWiki Platform by XWiki
CVE-2025-32429
Key Information:
- Vendor
Xwiki
- Status
- Vendor
- CVE Published:
- 24 July 2025
Badges
What is CVE-2025-32429?
CVE-2025-32429 is a significant SQL injection vulnerability found in the XWiki Platform, an open-source wiki tool that allows users to create and manage content collaboratively. This vulnerability affects specific versions of the platform, from 9.4-rc-1 up to 16.10.5 and from 17.0.0-rc-1 through 17.2.2. It arises from an issue in the handling of user inputs in the parameter 'sort' of the getdeleteddocuments.vm script, which allows malicious actors to inject arbitrary SQL statements. Consequently, this can lead to unauthorized database access, data manipulation, and compromises in data integrity. Organizations using affected versions may face significant operational disruptions, data breaches, or loss of sensitive information.
Potential impact of CVE-2025-32429
-
Data Breach Risks: The SQL injection can lead to unauthorized access to sensitive data stored in databases, exposing critical information held by organizations and potentially leading to legal and regulatory repercussions.
-
System Integrity Compromise: Attackers can manipulate database queries to alter or delete records, which can disrupt business operations and lead to the loss of essential content and historical data.
-
Increased Attack Surface: With this vulnerability being actively exploited, organizations running vulnerable versions of the XWiki Platform may become prime targets for further attacks, including ransomware incidents, as they may lack the necessary defenses and patches to mitigate risks.
Affected Version(s)
xwiki-platform >= 9.4-rc-1, < 16.10.6 < 9.4-rc-1, 16.10.6
xwiki-platform >= 17.0.0-rc-1, < 17.3.0-rc-1 < 17.0.0-rc-1, 17.3.0-rc-1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.