Steps to reproduce:
Tags for hello from groovy! are displayed.
This demonstrates a privilege escalation attack from view rights on Main.Tags to programming rights. This is also a remote code execution attack.
This affects most likely all versions of XWiki containing the async macro (version 11.6RC1 and later) that allows to circumvent the script macro nesting protection. Similar attacks might also be possible with the job macro, this is to be verified.