Found a URI based reflected XSS on XWIKI 4.5.2
I tested it on XWIKI 5.1 and found that 5.1 is not vulnerable to this attack. However I haven't checked 4.5.3 to 5.0
There is no vulnerable parameter. When we pass on the payload on any URL, the attack is triggered.
The problem is with the links on the export dropdown menu as there this attack is escaping the anchor tag and the script tag gets injected to the HTML for rendering on browser.
Wanted to add a screenshot as POC, but there is not attach file option.