CVE-2025-23072
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the MediaWiki RefreshSpecial extension. It allows attackers to inject malicious scripts into web pages, potentially compromising user sessions or stealing sensitive data. Affected users include anyone running vulnerable versions of MediaWiki with the RefreshSpecial extension enabled.
💻 Affected Systems
- Wikimedia Foundation Mediawiki - RefreshSpecial Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Session hijacking, cookie theft, or credential harvesting from users who visit maliciously crafted pages.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still execute in some contexts.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity, especially when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.39.11, 1.41.3, or 1.42.2
Vendor Advisory: https://phabricator.wikimedia.org/T378885
Restart Required: No
Instructions:
1. Update MediaWiki to the patched version. 2. Verify the RefreshSpecial extension is updated. 3. Clear caches if necessary.
🔧 Temporary Workarounds
Disable RefreshSpecial Extension
allTemporarily disable the vulnerable extension until patching is possible.
Edit LocalSettings.php and remove or comment out: wfLoadExtension('RefreshSpecial');
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact by restricting script execution sources.
Add to web server config or .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Apache: Header always set Content-Security-Policy "default-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self';";
🧯 If You Can't Patch
- Disable the RefreshSpecial extension immediately.
- Implement strict input validation and output encoding for all user inputs in custom code.
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and extension status via Special:Version page or by examining LocalSettings.php for wfLoadExtension('RefreshSpecial').Check Version:
php maintenance/run.php --version (CLI) or check Special:Version page.Verify Fix Applied:
Confirm MediaWiki version is 1.39.11, 1.41.3, or 1.42.2 or higher, and verify the extension is enabled only in patched versions.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to RefreshSpecial pages with script tags or JavaScript payloads in parameters.
- Error logs showing malformed input or script execution attempts.
Network Indicators:
- HTTP requests containing suspicious script tags or encoded JavaScript in query strings or POST data.
SIEM Query:
source="*access.log*" AND (uri_path="*RefreshSpecial*" AND (query="*<script>*" OR query="*javascript:*"))