CVE-2025-32972 is a vulnerability classified under CWE-285 (Improper Authorization) affecting multiple versions of the XWiki platform, a widely used generic wiki software. The flaw exists in the script API of the LESS compiler component within XWiki. Specifically, the vulnerability arises because the cache cleaning API does not properly verify user permissions before allowing cache clearing operations. This improper authorization allows users with script rights—but without programming rights—to invoke cache cleaning. Since cache clearing forces the system to rebuild caches, this can lead to performance degradation and slower execution of the XWiki platform. However, exploitation requires the attacker to already have script rights, which inherently grant the ability to execute arbitrary scripts, thus limiting the incremental risk posed by this vulnerability. The impact is therefore primarily a denial-of-service-like slowdown rather than data compromise or system takeover. The vulnerability affects versions from 6.1-milestone-1 up to but not including 15.10.12, versions 16.0.0-rc-1 up to but not including 16.4.3, and versions 16.5.0-rc-1 up to but not including 16.8.0-rc-1. Patches addressing this issue were released in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. The CVSS v3.1 base score is 2.7 (low severity), reflecting the limited impact and the requirement for high privileges to exploit. No known exploits are currently reported in the wild. Overall, this vulnerability is a low-severity authorization flaw that could cause performance issues but does not compromise confidentiality or integrity of data within XWiki deployments.

For European organizations using affected versions of XWiki, the primary impact is potential performance degradation due to unauthorized cache clearing by users with script rights. This could lead to slower wiki response times and reduced productivity, especially in environments with high user activity or complex wiki content. Since exploitation requires script rights, which already permit extensive scripting capabilities, the incremental risk is minimal. However, in organizations where script rights are granted to a broad user base or insufficiently controlled, this vulnerability could be leveraged to cause service slowdowns or intermittent denial of service. The impact on confidentiality and integrity is negligible. Given that many European public sector entities, academic institutions, and enterprises use XWiki for collaboration and documentation, any slowdown could affect operational efficiency. The absence of known exploits reduces immediate risk, but organizations should still prioritize patching to prevent potential misuse and maintain optimal system performance.

1. Upgrade affected XWiki instances to the patched versions: 15.10.12, 16.4.3, or 16.8.0-rc-1 or later. This is the most effective mitigation. 2. Restrict assignment of script rights to only highly trusted users or administrators, minimizing the attack surface. 3. Implement strict access controls and audit logging around script execution and cache management operations to detect any unauthorized attempts. 4. Monitor system performance metrics and cache clearing events to identify unusual activity that could indicate exploitation attempts. 5. Consider disabling or limiting the use of the LESS compiler script API if not required for business operations. 6. Conduct regular security reviews of user permissions within XWiki to ensure least privilege principles are enforced. 7. Employ network segmentation and application-layer firewalls to limit access to the XWiki platform from untrusted networks or users. These targeted measures go beyond generic advice by focusing on controlling script rights and monitoring cache-related operations specific to this vulnerability.