CVE-2025-61640

N/A Unknown
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in MediaWiki's RclToOrFromWidget.js component that allows attackers to inject malicious scripts into web pages. When exploited, it can enable session hijacking, data theft, or unauthorized actions on behalf of users. It affects MediaWiki instances running vulnerable versions that use the RCFilters feature.

💻 Affected Systems

Products:
  • Wikimedia Foundation MediaWiki
Versions: MediaWiki versions before 1.39.14, 1.43.4, and 1.44.1
Operating Systems: All operating systems running MediaWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the RCFilters feature (Recent Changes filters). The vulnerability is in the RclToOrFromWidget.js component.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, compromise user accounts, deface wikis, or distribute malware to visitors through persistent XSS payloads.

🟠

Likely Case

Attackers with access to edit pages could embed malicious scripts that execute in other users' browsers, potentially stealing session cookies or performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the ability to inject malicious input into the affected widget, typically through page editing privileges. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.39.14, 1.43.4, or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T402075

Restart Required: No

Instructions:

1. Backup your MediaWiki installation and database. 2. Update MediaWiki to version 1.39.14, 1.43.4, or 1.44.1 depending on your current branch. 3. Clear browser caches and MediaWiki caches. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable RCFilters Feature

all

Temporarily disable the Recent Changes filters feature to prevent exploitation of this vulnerability.

Add to LocalSettings.php: $wgRCFilters = false;

Implement Content Security Policy

all

Add a strict Content Security Policy header to mitigate XSS impact.

Add to web server config or LocalSettings.php: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Adjust policy based on your specific needs

🧯 If You Can't Patch

  • Restrict editing privileges to trusted users only
  • Implement web application firewall rules to block XSS patterns

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version via Special:Version page or by examining the includes/DefaultSettings.php file for version number.

Check Version:

grep 'wgVersion' includes/DefaultSettings.php

Verify Fix Applied:

Verify version is 1.39.14, 1.43.4, or 1.44.1 or higher via Special:Version page.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript in page edits
  • Multiple failed edit attempts with script tags
  • Unexpected changes to RCFilters-related pages

Network Indicators:

  • HTTP requests containing malicious script payloads in parameters
  • Unusual traffic to RCFilters endpoints

SIEM Query:

source="mediawiki_logs" AND ("script" OR "javascript" OR "onerror" OR "onload") AND "RCFilters"

📊 Metadata

CVE ID: CVE-2025-61640
CVSS v3 Score: N/A (Unknown)
CWE: CWE-79
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This