CVE-2025-61636 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-61636?

CVE-2025-61636 has a CVSS score of N/A (Unknown). This is a cross-site scripting (XSS) vulnerability in MediaWiki's HTMLButtonField.php that allows attackers to inject malicious scripts into web pages. It affects MediaWiki instances running vulnerable versions, potentially compromising users who view manipulated pages. The vulnerability exists in the button field rendering functionality.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in MediaWiki's HTMLButtonField.php that allows attackers to inject malicious scripts into web pages. It affects MediaWiki instances running vulnerable versions, potentially compromising users who view manipulated pages. The vulnerability exists in the button field rendering functionality.

💻 Affected Systems

Products:

Wikimedia Foundation MediaWiki

Versions: MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HTML button field component in includes/htmlform/fields/HTMLButtonField.php

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or limited page manipulation by authenticated users with edit privileges.

🟢

If Mitigated

Limited impact if Content Security Policy (CSP) is properly configured and input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation likely requires some level of edit privileges to manipulate button fields

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T394396

Restart Required: No

Instructions:

1. Backup your MediaWiki installation. 2. Update to MediaWiki 1.39.14, 1.43.4, or 1.44.1. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Sanitization Enhancement

all

Add additional input validation for HTML button field parameters

Manual code review and hardening of HTMLButtonField.php

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Restrict edit privileges and monitor for suspicious button field modifications

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version in LocalSettings.php or via Special:Version page

Check Version:

grep 'wgVersion' LocalSettings.php

Verify Fix Applied:

Confirm version is 1.39.14, 1.43.4, 1.44.1 or later

📡 Detection & Monitoring

Log Indicators:

Unusual button field modifications
Suspicious HTML/script content in form submissions

Network Indicators:

Unexpected script tags in button-related HTTP responses

SIEM Query:

Search for patterns like '<script>' or 'javascript:' in MediaWiki edit logs

📊 Metadata

CVE ID: CVE-2025-61636

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T394396