Is CVE-2025-32972 actively exploited?

CVE-2025-32972 has no public evidence of in-the-wild exploitation as of 2025-05-13.

What is the CVSS score for CVE-2025-32972?

CVE-2025-32972 has a CVSS score of 2.7 (LOW severity). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L.

How do I patch CVE-2025-32972?

Patch guidance is available from xwiki security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-32972.

CVE-2025-32972 - remediation guidance & executive summary

Q: Which products are affected by CVE-2025-32972?

7 products: xwiki xwiki, xwiki xwiki, xwiki xwiki, xwiki xwiki, xwiki xwiki, and 2 more.

Description

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector: network
Complexity: low
Privileges: high
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low
Weaknesses: CWE-285NVD-CWE-noinfo

Metadata

Primary Vendor: XWIKI
Published: 4/30/2025
Last Modified: 5/13/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

xwiki : xwikixwiki : xwikixwiki : xwikixwiki : xwikixwiki : xwikixwiki : xwikixwiki : xwiki

Remediation Guidance

Executive Summary

View on NIST NVD