Description
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Remediation
References
Related Vulnerabilities
axios Insertion of Sensitive Information Into Sent Data Vulnerability (CVE-2026-44487)
PHP Use of Externally-Controlled Format String Vulnerability (CVE-2009-0754)
WordPress Plugin Properties and Agents-Real Estate Manager Cross-Site Scripting (6.7.1)
Magento Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-8156)