CVE-2025-61650

N/A Unknown
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's CheckUser extension that allows attackers to inject malicious scripts into web pages. It affects users of MediaWiki installations with the CheckUser extension enabled. The vulnerability occurs in the user information card service component.

💻 Affected Systems

Products:
  • Wikimedia Foundation CheckUser extension
Versions: All versions before commit 795bf333272206a0189050d975e94b70eb7dc507
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires CheckUser extension to be installed and enabled on MediaWiki.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as privileged users, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or defacement of user information pages.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are already in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 795bf333272206a0189050d975e94b70eb7dc507 and later

Vendor Advisory: https://phabricator.wikimedia.org/T403289

Restart Required: No

Instructions:

1. Update CheckUser extension to commit 795bf333272206a0189050d975e94b70eb7dc507 or later. 2. Clear MediaWiki cache. 3. Verify the fix by checking the extension version.

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the vulnerable CheckUser extension

Edit LocalSettings.php and comment out or remove wfLoadExtension('CheckUser');

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Add to web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Apache: Header always set Content-Security-Policy "default-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self';";

🧯 If You Can't Patch

  • Implement strict input validation for all user inputs in the CheckUser service
  • Apply output encoding to all user-controlled data displayed in the user info card

🔍 How to Verify

Check if Vulnerable:

Check CheckUser extension version: git log --oneline | head -1

Check Version:

cd extensions/CheckUser && git log --oneline | head -1

Verify Fix Applied:

Verify commit hash is 795bf333272206a0189050d975e94b70eb7dc507 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags in CheckUser-related requests
  • Multiple failed attempts to access user info endpoints
  • Suspicious characters in user agent or referrer fields

Network Indicators:

  • HTTP requests containing script tags to CheckUser endpoints
  • Unusual outbound connections after accessing user info pages

SIEM Query:

source="*apache*" OR source="*nginx*" AND (uri="*Special:CheckUser*" OR uri="*userinfo*" OR uri="*CheckUserUserInfoCardService*" AND (body="<script>" OR body="javascript:" OR body="onerror=" OR body="onload="))

📊 Metadata

CVE ID: CVE-2025-61650
CVSS v3 Score: N/A (Unknown)
CWE: CWE-79
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This