CVE-2025-53488
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the WikiHiero extension of MediaWiki. It occurs because certain system messages are inserted into the web page's DOM as raw HTML without proper sanitization, allowing an attacker to inject malicious HTML and JavaScript code. Specifically, the messages 'wikihiero-input' and 'wikihiero-result' are concatenated with raw HTML in the extension's JavaScript code, enabling arbitrary code injection when these messages are edited. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of the affected MediaWiki site. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacing the website, or distributing malware to users visiting the site. Since it is a stored XSS, the malicious code persists and affects all users who view the compromised pages. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stored XSS condition on a vulnerable MediaWiki WikiHiero extension instance. Specifically, navigate to the Special:Hieroglyphs page with a crafted language parameter (e.g., Special:Hieroglyphs?uselang=x-xss), enter arbitrary text containing HTML or JavaScript payloads into the input, and submit it. If the input is reflected as executable HTML/JavaScript in the page without sanitization, the vulnerability is present. There are no specific network commands provided, but testing the input handling on the affected page is the method to detect it. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the official patch that changes the insertion of system messages from raw HTML concatenation to using safe text insertion methods (e.g., jQuery's .text()) to properly escape content and prevent XSS. If patching is not immediately possible, restrict editing permissions on system messages "wikihiero-input" and "wikihiero-result" to trusted users only, and avoid using the vulnerable WikiHiero extension version (from 1.43.X before 1.43.2). The fix has been deployed to Wikimedia production as of July 2025. [1]