This is a major and very old security flaw.
A Velocity script, even written by guest in a comment, could be later executed with the access rights of a priviledged user (apart from the programming rights, but this could be gained later).
If an XWiki administrator look at
- the comment of an anonymous user,
- a page written by a simple user
- a rendered textarea field
- a user panels
- in fact, anything rendered from a user input...
the Velocity script is executed with all the access rights of this administrator.
The causes is that all access rights are always checked against the context.user, not against the user that have written the script (the only right the script will not have is the programming right, until the context.doc is content authored by an administrator).
Without programming rigths (PR), the API currently allows to view, create and overwrite any documents with the right access of the viewer and authoring as the viewer (api.XWiki#getDocument() and api.Document#save()).
Saving a document is the worse, since with something like this:
you may event create and execute scripts that has Programming Rights, since the content author of the created document could be a viewer having programming rights !
Now be really careful next time you logs in with Programming Rights, you may loose control...