CVE-2025-61655 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-61655?

CVE-2025-61655 has a CVSS score of N/A (Unknown). This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's VisualEditor component. Attackers can inject malicious scripts through web page generation inputs, potentially compromising user sessions. This affects all Wikimedia sites using vulnerable VisualEditor versions.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's VisualEditor component. Attackers can inject malicious scripts through web page generation inputs, potentially compromising user sessions. This affects all Wikimedia sites using vulnerable VisualEditor versions.

💻 Affected Systems

Products:

Wikimedia VisualEditor

Versions: VisualEditor before 1.39.14, 1.43.4, 1.44.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects MediaWiki installations with VisualEditor enabled. The vulnerability is in specific API and JavaScript files.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface pages, or distribute malware to users visiting compromised pages.

🟠

Likely Case

Session hijacking, cookie theft, or page defacement affecting users who interact with maliciously edited content.

🟢

If Mitigated

Limited impact if proper content sanitization and CSP headers are enforced, though some XSS vectors may still work.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires editing privileges. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: VisualEditor 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T395858

Restart Required: No

Instructions:

1. Update VisualEditor extension to patched version. 2. Update MediaWiki core if required. 3. Clear caches. 4. Verify functionality.

🔧 Temporary Workarounds

Disable VisualEditor

all

Temporarily disable VisualEditor extension to mitigate risk

Edit LocalSettings.php: $wgVisualEditorEnable = false;

Enforce Content Security Policy

all

Implement strict CSP headers to limit XSS impact

Add to web server config: Content-Security-Policy: default-src 'self'

🧯 If You Can't Patch

Restrict editing privileges to trusted users only
Implement WAF rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check VisualEditor version in MediaWiki Special:Version page

Check Version:

php maintenance/run.php includes/ApiVisualEditorEdit.php --version

Verify Fix Applied:

Confirm VisualEditor version is 1.39.14, 1.43.4, or 1.44.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual edit patterns
JavaScript in page revisions
Multiple failed edit attempts

Network Indicators:

Requests with script tags in edit parameters
Unusual POST requests to edit endpoints

SIEM Query:

source="apache" AND ("edit" OR "save") AND ("script" OR "javascript" OR "onload")

📊 Metadata

CVE ID: CVE-2025-61655

CVSS v3 Score: N/A (Unknown)

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://phabricator.wikimedia.org/T395858