Steps to reproduce:
Open the URL
Create a page with content
(or insert this in the description of the user profile).
No file /tmp/exploit.txt is created.
A file /tmp/exploit.txt with content owned! is created on the server (if the server is running Linux, on Windows this might need to be adjusted to use a different path).
This demonstrates a privilege escalation to programming rights with just view rights through insufficient escaping of parameters in the mentions macro, exploited through the HTML Converter of CKEditor that allows parsing and rendering arbitrary XWiki syntax without edit rights. Alternatively, edit rights on any page (can be the user's profile) are needed.