CVE-2025-53835 CRITICAL

CVE-2025-53835: XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

Vendor Xwiki
Product xwiki-rendering
Weakness CWE-79 · XSS
Published July 14, 2025
Last update July 15, 2025
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

Key dates

02Disclosure timeline

July 14, 2025 CVE published
July 15, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-48728 CVE-2025-31748 WordPress Opal Portfolio Plugin <= 1.0.4 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-11119 itsourcecode Hostel Management System POST Request index.php cross site scripting CVE-2024-4042 Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel - Combo Blocks <= 2.2.80 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attribute CVE-2024-1987 WP-Members Membership Plugin <= 3.4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode