CVE-2025-53484
📋 TL;DR
This cross-site scripting (XSS) vulnerability in MediaWiki's SecurePoll extension allows attackers to inject malicious JavaScript through user-controlled inputs in poll options and page names. Successful exploitation can compromise user sessions by stealing authentication cookies or performing actions as authenticated users. This affects MediaWiki installations with the SecurePoll extension in specific vulnerable versions.
💻 Affected Systems
- MediaWiki SecurePoll Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the wiki, and potentially compromise the entire MediaWiki instance and underlying server.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, modify content, or access sensitive information within the wiki.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing session compromise.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized. The CVSS 9.8 score indicates critical severity with low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SecurePoll extension versions 1.39.13, 1.42.7, and 1.43.2
Vendor Advisory: https://phabricator.wikimedia.org/T392341
Restart Required: No
Instructions:
1. Update MediaWiki to a secure version. 2. Update the SecurePoll extension to patched versions: 1.39.13, 1.42.7, or 1.43.2. 3. Clear caches if applicable.
🔧 Temporary Workarounds
Disable SecurePoll Extension
allTemporarily disable the vulnerable SecurePoll extension if immediate patching isn't possible.
Edit LocalSettings.php and comment out or remove: wfLoadExtension('SecurePoll');
Implement WAF Rules
allConfigure web application firewall to block XSS payloads targeting poll inputs and page names.
🧯 If You Can't Patch
- Disable the SecurePoll extension completely.
- Implement strict Content Security Policy (CSP) headers to mitigate script execution.
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and SecurePoll extension version. If using affected versions (1.39.X < 1.39.13, 1.42.X < 1.42.7, 1.43.X < 1.43.2), you are vulnerable.Check Version:
Check MediaWiki version in Special:Version page or examine LocalSettings.php and extensions/SecurePoll/extension.json.Verify Fix Applied:
Verify SecurePoll extension version is 1.39.13, 1.42.7, or 1.43.2 or higher. Test poll creation and result pages for proper input escaping.📡 Detection & Monitoring
Log Indicators:
- Unusual poll creation or modification patterns
- JavaScript payloads in poll option fields or page name parameters
Network Indicators:
- HTTP requests containing script tags or JavaScript in poll-related parameters
SIEM Query:
source="web_server_logs" AND (uri_path="*VotePage*" OR uri_path="*ResultPage*") AND (query_string="*<script>*" OR query_string="*javascript:*")