CVE-2025-54125 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from the XML export functionality of a wiki page, which can be triggered by any user with view rights by appending '?xpage=xml' to the page URL. In affected versions (1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0), the XML export includes sensitive properties such as passwords and email addresses stored on the document, even if these properties are not explicitly named 'password' or 'email'. This results in unauthorized exposure of private personal information to any user with viewing permissions, without requiring authentication or user interaction beyond viewing the page. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). It has a CVSS 4.0 base score of 8.7, reflecting its network exploitable nature, no required privileges, no user interaction, and a high impact on confidentiality. The issue is fixed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. As a workaround, administrators can delete the 'templates/xml.vm' file from the deployed WAR if XML export functionality is not needed, as no core XWiki features depend on it. There are currently no known exploits in the wild. This vulnerability poses a significant risk of data leakage, potentially exposing user credentials and contact information to unauthorized actors who have only view access to the wiki pages.

For European organizations using vulnerable versions of XWiki Platform, this vulnerability could lead to unauthorized disclosure of sensitive personal information, including passwords and email addresses. This exposure can facilitate further attacks such as credential stuffing, phishing, or social engineering campaigns targeting employees or customers. The breach of personal data may also violate the EU General Data Protection Regulation (GDPR), leading to regulatory penalties, reputational damage, and loss of customer trust. Since the vulnerability requires only view rights, it can be exploited by any authenticated or unauthenticated user with access to the wiki pages, increasing the attack surface. Organizations relying on XWiki for internal documentation, collaboration, or customer-facing knowledge bases are at risk of confidential information leakage, potentially impacting business operations and security posture.

1. Upgrade XWiki Platform to the patched versions 16.4.7, 16.10.5, or 17.2.0-rc-1 as soon as possible to eliminate the vulnerability. 2. If immediate upgrade is not feasible, remove or rename the 'templates/xml.vm' file in the deployed WAR directory to disable the XML export feature, preventing exposure of sensitive data. 3. Review and audit wiki pages for any sensitive information stored in custom properties that may be inadvertently exposed. 4. Restrict view permissions on sensitive pages to trusted users only, minimizing the risk of unauthorized access. 5. Monitor access logs for unusual or suspicious requests containing '?xpage=xml' to detect potential exploitation attempts. 6. Educate users and administrators about the risks of exposing sensitive data in wiki documents and encourage secure data handling practices. 7. Implement network-level controls or web application firewalls (WAF) rules to block or alert on requests attempting to access XML exports if disabling the feature is not possible.