CVE-2025-23079
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the MediaWiki ArticleFeedbackv5 extension. Attackers can inject malicious scripts into web pages that execute when viewed by other users. This affects MediaWiki installations using the vulnerable extension version.
💻 Affected Systems
- Wikimedia Foundation Mediawiki - ArticleFeedbackv5 extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites.
Likely Case
Attackers inject malicious scripts to steal user session data or credentials from users viewing affected pages.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.42.2
Vendor Advisory: https://phabricator.wikimedia.org/T381753
Restart Required: No
Instructions:
Update MediaWiki to version 1.42.2 or later
Update the ArticleFeedbackv5 extension to the patched version
Clear any caches if applicable
🔧 Temporary Workarounds
Disable ArticleFeedbackv5 extension
allTemporarily disable the vulnerable extension until patching is possible
Edit LocalSettings.php and remove or comment out: wfLoadExtension('ArticleFeedbackv5');
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to web server config or application headers: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Enable input validation and output encoding for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and ArticleFeedbackv5 extension version in LocalSettings.php and extension filesCheck Version:
php includes/DefaultSettings.php | grep wgVersionVerify Fix Applied:
Confirm MediaWiki version is 1.42.2 or later and ArticleFeedbackv5 extension is updated📡 Detection & Monitoring
Log Indicators:
- Unusual script tags in user input logs
- Multiple failed input validation attempts
- Suspicious characters in URL parameters
Network Indicators:
- HTTP requests containing script tags or JavaScript in parameters
- Unusual outbound connections from user browsers
SIEM Query:
web_access_logs WHERE url CONTAINS '<script' OR url CONTAINS 'javascript:'