CVE-2025-62702
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62702, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-21

Last updated on: 2025-10-21

Assigner: wikimedia-foundation

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-21
Last Modified
2025-10-21
Generated
2026-07-06
AI Q&A
2025-10-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
the_wikimedia_foundation mediawiki 1.45.0-alpha
the_wikimedia_foundation mediawiki_pagetriage_extension *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-62702 is a stored Cross-Site Scripting (XSS) vulnerability in the PageTriage extension of MediaWiki. It occurs because certain system messages are inserted into the web page as raw HTML without proper escaping, allowing attackers to inject malicious HTML or JavaScript code. This malicious code is then executed in the browsers of users with sysop privileges when they view the PageTriage interface, potentially compromising their accounts or the system. [1]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of privileged users (sysops) of the MediaWiki PageTriage interface. This can lead to unauthorized actions such as stealing credentials, performing actions on behalf of the user, or compromising the integrity of the system. The attack requires the attacker to inject malicious content into system messages and the victim to have sysop privileges to trigger the exploit. [1]

Detection Guidance

This vulnerability can be detected by testing whether the system messages `pagetriage-new-page-feed-show-ip` and `pagetriage-new-page-feed-show-ip-not-found` in the MediaWiki PageTriage extension are vulnerable to stored XSS. Detection involves editing these system messages to include a harmless test payload such as `<img src='' onerror='alert(1)'>` or `<img src='' onerror='alert(2)'>`, then accessing the Special:NewPagesFeed page with a sysop account to see if the payload executes. There are no specific network commands provided, but the detection is done through the MediaWiki interface and system message editing. Steps include: 1) Editing the system messages to include test HTML/JavaScript, 2) Creating new pages with a temporary account, 3) Accessing the Special:NewPagesFeed page as a sysop to observe if the payload triggers an alert. [1]

Mitigation Strategies

Immediate mitigation steps include applying the official patches that escape system messages before inserting them into the DOM, as released by the Wikimedia Foundation. If patching is not immediately possible, restrict permissions to edit system messages such as `pagetriage-new-page-feed-show-ip` and `pagetriage-new-page-feed-show-ip-not-found` to trusted users only, and limit sysop access to the PageTriage interface to prevent triggering the XSS. Additionally, review and remove any malicious content from these system messages. Upgrading to MediaWiki versions where the fix is applied (including master and REL1_44 branches) is recommended. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart