CVE-2025-66472 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 and CWE-80, affecting the XWiki Platform's Flamingo Skin Resources and Web Templates components. The vulnerability exists in versions from 6.2-milestone-1 up to but not including 16.10.10, and from 17.0.0-rc-1 up to but not including 17.4.2. The flaw occurs due to improper neutralization of attacker-controlled input embedded within a deletion confirmation message displayed to users. Specifically, when a user is prompted to confirm deletion, the 'No' button triggers execution of the injected script if the input is maliciously crafted. This reflected XSS does not require prior authentication but does require the victim to interact by clicking the 'No' button, making social engineering or phishing a likely attack vector. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the victim’s browser session, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the wiki environment. The vulnerability has been assigned a CVSS 4.0 base score of 6.5, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope and impact are high due to the potential for script injection in a widely used collaboration platform. The issue was publicly disclosed on December 10, 2025, and fixed in versions 16.10.10 and 17.4.2 of the affected components. No known exploits have been reported in the wild, but the presence of a fix indicates the importance of timely patching.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on XWiki as a collaboration or knowledge management platform. Successful exploitation could lead to session hijacking, allowing attackers to impersonate legitimate users and access sensitive corporate information. It could also facilitate the spread of malware or phishing campaigns within the organization by injecting malicious scripts into trusted internal web pages. This can undermine user trust and lead to data breaches or compliance violations under regulations such as GDPR. The requirement for user interaction means the attack surface is somewhat limited but still exploitable through social engineering. Organizations with large user bases or those in sectors with high confidentiality requirements (e.g., finance, healthcare, government) are particularly at risk. Additionally, since XWiki is often used in multi-tenant or cloud environments, the vulnerability could be leveraged to pivot attacks or escalate privileges within hosted platforms.

European organizations should immediately upgrade affected XWiki Platform components to versions 16.10.10 or 17.4.2 or later, where the vulnerability is patched. In parallel, implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct user awareness training focused on recognizing phishing and social engineering attempts, as exploitation requires user interaction. Review and sanitize all user inputs and outputs in custom XWiki extensions or templates to prevent similar injection flaws. Employ web application firewalls (WAFs) with rules targeting reflected XSS patterns to provide an additional layer of defense. Regularly audit and monitor logs for suspicious activities related to deletion confirmation workflows. Finally, consider isolating critical XWiki instances behind VPNs or internal networks to limit exposure to external attackers.