CVE-2025-61654
SQL Injection in Wikimedia ThanksQueryHelper.Php Before
Publication date: 2026-02-03
Last updated on: 2026-03-03
Assigner: wikimedia-foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wikimedia_foundation | mediawiki_thanks_extension | From 1.43 (inc) to 1.44 (exc) |
| wikimedia_foundation | mediawiki_growth_experiments_extension | From 1.43 (inc) to 1.44 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Incorrect Default Permissions issue in the Wikimedia Foundation's Mediawiki Thanks Extension and Growth Experiments Extension versions from 1.43 up to, but not including, 1.44. It allows unauthorized access to functionality that is not properly restricted by Access Control Lists (ACLs), meaning users can access features they should not be able to. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access certain functionalities within the affected Mediawiki extensions without proper permissions. This could lead to unintended exposure or misuse of features, potentially impacting the confidentiality, integrity, or availability of the system, although the impact is considered low to medium severity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect default permissions in the Wikimedia Foundation's Mediawiki Thanks Extension and Growth Experiments Extension. Detection would involve checking the permissions and access control lists (ACLs) on the affected program files, especially includes/ThanksQueryHelper.Php, to ensure they are properly constrained. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Mediawiki Thanks Extension and Growth Experiments Extension to versions 1.44 or later, where the incorrect default permissions issue has been resolved. Additionally, reviewing and correcting ACLs on the affected files to restrict unauthorized access can help mitigate the vulnerability. [1]