Steps to reproduce:
to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.
The notifications macro is displayed for some strange wiki name.
is displayed. This shows that the Groovy macro has been executed and the attacker has gained programming rights, allowing read and write access to the whole wiki and host system.
The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor's HTML converter.