CVE-2025-61651 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-61651?

CVE-2025-61651 has a CVSS score of N/A (Unknown). This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's CheckUser extension. Attackers can inject malicious scripts into web pages generated by the affected module, potentially compromising user sessions. This affects all Wikimedia installations running CheckUser extension versions before 1.44.1.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's CheckUser extension. Attackers can inject malicious scripts into web pages generated by the affected module, potentially compromising user sessions. This affects all Wikimedia installations running CheckUser extension versions before 1.44.1.

💻 Affected Systems

Products:

Wikimedia CheckUser Extension

Versions: All versions before 1.44.1

Operating Systems: All platforms running MediaWiki

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with CheckUser extension enabled. Requires attacker to have access to CheckUser functionality or trick users into visiting malicious CheckUser pages.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, perform unauthorized actions as privileged users, or compromise the entire Wikimedia installation.

🟠

Likely Case

Session hijacking, cookie theft, or defacement of CheckUser interface pages for targeted users.

🟢

If Mitigated

Limited to interface manipulation for users with CheckUser access, with no privilege escalation beyond existing permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to CheckUser functionality or social engineering to target users with CheckUser permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T403408

Restart Required: No

Instructions:

1. Update CheckUser extension to version 1.44.1 or later. 2. For MediaWiki installations: Update via composer or manual download from Wikimedia. 3. Clear any caching mechanisms. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable CheckUser Extension

all

Temporarily disable the CheckUser extension to eliminate the attack surface.

Edit LocalSettings.php and comment out or remove: wfLoadExtension('CheckUser');

Restrict CheckUser Access

all

Limit CheckUser functionality to only essential administrators.

Edit LocalSettings.php to restrict $wgGroupPermissions['checkuser'] to minimal trusted users.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Enable input validation and output encoding for all user-controlled data in CheckUser interfaces

🔍 How to Verify

Check if Vulnerable:

Check CheckUser extension version in MediaWiki's Special:Version page or examine the extension directory for version files.

Check Version:

grep -r 'version' /path/to/extensions/CheckUser/extension.json | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Confirm CheckUser extension version is 1.44.1 or later via Special:Version page.

📡 Detection & Monitoring

Log Indicators:

Unusual CheckUser queries with script-like payloads
Multiple failed authentication attempts followed by CheckUser access

Network Indicators:

HTTP requests to CheckUser endpoints containing script tags or JavaScript code in parameters

SIEM Query:

source="*access.log*" AND (uri_path="*Special:CheckUser*" OR uri_path="*checkuser*") AND (query_string="*<script*" OR query_string="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-61651

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T403408