CVE-2025-66472 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 and CWE-80 affecting the XWiki Platform, specifically the Flamingo Skin Resources and Web Templates components. The vulnerability exists in versions from 6.2-milestone-1 up to but excluding 16.10.10, and from 17.0.0-rc-1 up to but excluding 17.4.2. It occurs due to improper neutralization of attacker-controlled input embedded in a deletion confirmation message. When a user triggers this message and clicks the "No" button, the injected malicious script executes in the victim's browser context. This reflected XSS does not require any authentication or privileges, but does require user interaction (clicking the "No" button). The attack vector is network-based, and the attack complexity is low, making exploitation feasible by remote attackers who can trick users into clicking the malicious link or button. The vulnerability can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The issue is fixed in versions 16.10.10 and 17.4.2 of both affected components. No known exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 6.5, reflecting medium severity with high scope impact due to potential compromise of user sessions and data confidentiality. The vulnerability highlights the importance of proper input sanitization and output encoding in web application components that generate dynamic content based on user input.

For European organizations, the impact of CVE-2025-66472 can be significant, especially for those relying on XWiki Platform for internal knowledge management, collaboration, and documentation. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, theft of sensitive information, or unauthorized actions within the wiki environment. This can compromise confidentiality and integrity of organizational data and potentially lead to lateral movement within the network if attackers leverage stolen credentials or session tokens. Public sector entities, research institutions, and enterprises using XWiki for collaborative projects may face operational disruptions and reputational damage. The requirement for user interaction (clicking the "No" button) somewhat limits automated exploitation but social engineering or phishing campaigns could facilitate attacks. Given the medium CVSS score and no authentication required, the vulnerability represents a moderate risk that should be addressed promptly to prevent exploitation and protect sensitive information.

European organizations should prioritize upgrading affected XWiki Platform components to versions 16.10.10 or 17.4.2 or later, where the vulnerability is fixed. Until upgrades can be applied, organizations should implement strict Content Security Policy (CSP) headers to restrict script execution and reduce the impact of XSS attacks. Additionally, user awareness training should emphasize caution when interacting with unexpected confirmation dialogs or links, especially in wiki environments. Web application firewalls (WAFs) can be tuned to detect and block reflected XSS payloads targeting the deletion confirmation message. Regular security audits and code reviews of custom XWiki extensions or templates should be conducted to ensure no similar input sanitization issues exist. Monitoring logs for unusual user activity or suspicious requests related to deletion confirmations can help detect attempted exploitation. Finally, organizations should maintain an inventory of XWiki deployments and versions to ensure timely patch management and vulnerability remediation.