CVE-2025-61654
Unknown Unknown - Not Provided
SQL Injection in Wikimedia ThanksQueryHelper.Php Before

Publication date: 2026-02-03

Last updated on: 2026-03-03

Assigner: wikimedia-foundation

Description
Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61654
EUVD
EUVD-2025-206650
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wikimedia_foundation mediawiki_thanks_extension From 1.43 (inc) to 1.44 (exc)
wikimedia_foundation mediawiki_growth_experiments_extension From 1.43 (inc) to 1.44 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Incorrect Default Permissions issue in the Wikimedia Foundation's Mediawiki Thanks Extension and Growth Experiments Extension versions from 1.43 up to, but not including, 1.44. It allows unauthorized access to functionality that is not properly restricted by Access Control Lists (ACLs), meaning users can access features they should not be able to. [1]

Impact Analysis

The vulnerability can allow unauthorized users to access certain functionalities within the affected Mediawiki extensions without proper permissions. This could lead to unintended exposure or misuse of features, potentially impacting the confidentiality, integrity, or availability of the system, although the impact is considered low to medium severity. [1]

Detection Guidance

This vulnerability involves incorrect default permissions in the Wikimedia Foundation's Mediawiki Thanks Extension and Growth Experiments Extension. Detection would involve checking the permissions and access control lists (ACLs) on the affected program files, especially includes/ThanksQueryHelper.Php, to ensure they are properly constrained. Specific commands are not provided in the resources. [1]

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Immediate mitigation steps include updating the Mediawiki Thanks Extension and Growth Experiments Extension to versions 1.44 or later, where the incorrect default permissions issue has been resolved. Additionally, reviewing and correcting ACLs on the affected files to restrict unauthorized access can help mitigate the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart