CVE-2025-61648

N/A Unknown
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's CheckUser extension. It allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing session cookies or performing actions on their behalf. The vulnerability affects all Wikimedia installations running CheckUser extension versions before 1.44.1.

💻 Affected Systems

Products:
  • Wikimedia CheckUser extension
Versions: All versions before 1.44.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with CheckUser extension enabled. Requires attacker access to CheckUser interface.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain unauthorized access to CheckUser functionality, view private user data, or perform administrative actions on the wiki.

🟠

Likely Case

Attackers with access to CheckUser interface could inject scripts that steal session cookies from other users viewing affected pages, potentially compromising their accounts.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to CheckUser functionality. The vulnerability is in specific Vue.js and JavaScript components handling user input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T402077

Restart Required: No

Instructions:

1. Update CheckUser extension to version 1.44.1 or later. 2. For MediaWiki installations: Update via composer or extension manager. 3. Clear browser cache and server cache if applicable.

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the CheckUser extension until patching is possible

Edit LocalSettings.php and remove or comment out: wfLoadExtension('CheckUser');

Restrict CheckUser access

all

Limit CheckUser functionality to trusted administrators only

Edit LocalSettings.php and add: $wgGroupPermissions['sysop']['checkuser'] = true;

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Enable MediaWiki's built-in XSS protection features and ensure output encoding is enabled

🔍 How to Verify

Check if Vulnerable:

Check CheckUser extension version in MediaWiki's Special:Version page or examine extension files for versions before 1.44.1

Check Version:

For MediaWiki: Check Special:Version page or examine extensions/CheckUser/extension.json version field

Verify Fix Applied:

Confirm CheckUser extension version is 1.44.1 or later in Special:Version page

📡 Detection & Monitoring

Log Indicators:

  • Unusual CheckUser log entries, suspicious input patterns in web server logs
  • JavaScript execution attempts in CheckUser-related requests

Network Indicators:

  • Malicious script payloads in HTTP requests to CheckUser endpoints
  • Unexpected external resource loads from CheckUser pages

SIEM Query:

web.url:*CheckUser* AND (web.payload:*script* OR web.payload:*javascript:* OR web.payload:*onload=* OR web.payload:*onerror=*)

📊 Metadata

CVE ID: CVE-2025-61648
CVSS v3 Score: N/A (Unknown)
CWE: CWE-79
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This