CVE-2025-55730

XWiki Remote Macros vulnerable to remote code execution using the confluence paste code macro

Description

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.

INFO

Published Date :

2025-09-09T18:53:53.410Z

Last Modified :

2025-09-10T13:53:06.252Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-55730 vulnerability.

Vendors	Products
Xwikisas	Xwiki-pro-macros

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55730.

URL	Resource
https://github.com/xwikisas/xwiki-pro-macros/blob/93ac1a38c829e3ef787379b2b45eb043a573e5f7/xwiki-pro-macros-confluence-bridges/xwiki-pro-macros-confluence-bridges-ui/src/main/resources/Confluence/Macros/ConfluencePasteCodeMacro.xml#L435
https://github.com/xwikisas/xwiki-pro-macros/commit/049716df415aaf00938a91d618d382777820d2af
https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-5w8v-h22g-j2mp
https://jira.xwiki.org/browse/XWIKI-20449

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact