CVE-2025-52472

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 4.3-milestone-1 through 16.10.8 XWiki Platform versions 17.4.0 through 17.4.1 XWiki Platform versions 17.5.0

Description The XWiki Platform, a generic wiki platform, contains a flaw in the REST search URL. The orderField parameter is susceptible to HQL injection. The value provided for this parameter is included twice in the query, requiring careful manipulation to exploit. Specifically, enclosing the query segment between the two instances of the field in single quotes can bypass the constraints, but the query must remain valid with the parameter appearing twice. This issue affects versions starting from 4.3-milestone-1 and is addressed in versions 16.10.9, 17.4.2, and 17.5.0. The API endpoint involved is the REST search URL. The vulnerable parameter is orderField.

Recommendations Update to XWiki Platform version 16.10.9 or later. Update to XWiki Platform version 17.4.2 or later. Update to XWiki Platform version 17.5.0 or later.