Steps to reproduce:
As a user without script or programming rights, edit the about section of your user profile and include
The user profile is normally displayed with an error that Groovy couldn't be executed.
is displayed, followed by further raw HTML code, showing that the Groovy macro has been executed. This demonstrates a privilege escalation attack from account to programming rights. This attack is similar to XWIKI-20313 but instead of attacking UIX execution, this attacks the display of rich text properties. Note that with HTML comments, full unfiltered Groovy code could be introduced, but I assume that using features like GroovyShell#evaluate, further code could also be easily interpreted from a URL parameter without requiring characters that are lost due to the HTML sanitizer (didn't test).