CVE-2025-53483
📋 TL;DR
This CSRF vulnerability in MediaWiki's SecurePoll extension allows attackers to trick administrators into performing unauthorized sensitive actions like archiving/unarchiving pages or clearing voter eligibility data. It affects MediaWiki installations with the SecurePoll extension enabled, specifically versions 1.39.X before 1.39.13, 1.42.X before 1.42.7, and 1.43.X before 1.43.2.
💻 Affected Systems
- MediaWiki SecurePoll Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate poll data, archive/unarchive sensitive pages, or clear voter eligibility data, potentially disrupting elections or compromising poll integrity.
Likely Case
Unauthorized archiving/unarchiving of pages or clearing of voter eligibility data, leading to data loss or administrative disruption.
If Mitigated
No impact if proper CSRF protections are implemented or if administrators don't visit malicious sites while authenticated.
🎯 Exploit Status
Exploitation requires administrator to visit malicious site while authenticated. No authentication bypass needed beyond CSRF.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.39.13, 1.42.7, 1.43.2
Vendor Advisory: https://phabricator.wikimedia.org/T392341
Restart Required: No
Instructions:
1. Update MediaWiki to patched version. 2. Update SecurePoll extension if installed separately. 3. Clear caches if applicable.
🔧 Temporary Workarounds
Disable SecurePoll Extension
allTemporarily disable the vulnerable extension until patching is possible.
Edit LocalSettings.php and comment out or remove wfLoadExtension('SecurePoll');
Implement CSRF Middleware
allAdd custom CSRF validation for affected endpoints.
Add CSRF token validation to ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() methods
🧯 If You Can't Patch
- Restrict administrator access to trusted networks only
- Implement strict Content Security Policy to prevent malicious site interactions
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and SecurePoll extension version against affected ranges.Check Version:
Check MediaWiki version in includes/DefaultSettings.php or via Special:Version pageVerify Fix Applied:
Verify MediaWiki version is 1.39.13+, 1.42.7+, or 1.43.2+ and check that CSRF tokens are now validated in affected files.📡 Detection & Monitoring
Log Indicators:
- Unauthorized archive/unarchive actions
- Voter eligibility clear actions without proper CSRF tokens
- Multiple sensitive actions from same administrator in short timeframe
Network Indicators:
- HTTP POST requests to affected endpoints without CSRF tokens
- Cross-origin requests to sensitive endpoints
SIEM Query:
source="mediawiki" AND (action="archive" OR action="unarchive" OR action="clear_voter_eligibility") AND csrf_token=""