CVE-2025-61654

N/A Unknown

📋 TL;DR

This vulnerability in Wikimedia Foundation's Thanks extension allows attackers to execute unauthorized actions through the ThanksQueryHelper.php file. It affects all Wikimedia installations running vulnerable versions of the Thanks extension. The exact nature of the vulnerability is not fully disclosed but involves improper input validation.

💻 Affected Systems

Products:

• Wikimedia Thanks extension

Versions: All versions before 1.43.4 and 1.44.1

Operating Systems: All platforms running MediaWiki

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any MediaWiki installation with the Thanks extension enabled

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Privilege escalation or unauthorized modification of thanks/acknowledgment data

🟢

If Mitigated

Limited impact if proper input validation and access controls are implemented

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation likely requires some level of access or specific conditions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.43.4 or 1.44.1

Vendor Advisory: https://phabricator.wikimedia.org/T397497

Restart Required: No

Instructions:

1. Backup your MediaWiki installation
2. Update the Thanks extension to version 1.43.4 or 1.44.1
3. Clear MediaWiki caches
4. Verify the update was successful

🔧 Temporary Workarounds

Disable Thanks Extension

all

Temporarily disable the vulnerable extension until patching is possible

Copy

Remove or comment out 'wfLoadExtension( 'Thanks' );' in LocalSettings.php

🧯 If You Can't Patch

• Implement strict input validation and sanitization for all Thanks-related functions
• Restrict access to Thanks functionality to authenticated users only

🔍 How to Verify

Check if Vulnerable:

Copy

Check the Thanks extension version in MediaWiki's Special:Version page or examine includes/ThanksQueryHelper.php file version

Check Version:

Copy

grep -r 'Thanks.*version' extensions/Thanks/extension.json

Verify Fix Applied:

Copy

Confirm Thanks extension version is 1.43.4 or 1.44.1 in Special:Version

📡 Detection & Monitoring

Log Indicators:

• Unusual Thanks-related API calls
• Multiple failed Thanks operations
• Unexpected modifications to thanks data

Network Indicators:

• Abnormal traffic patterns to Thanks endpoints
• Suspicious POST requests to Thanks-related URLs

SIEM Query:

Copy

source="mediawiki.log" AND ("ThanksQueryHelper" OR "thanks") AND status=error

📊 Metadata

CVE ID: CVE-2025-61654

CVSS v3 Score: N/A (Unknown)

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://nvd.nist.gov/vuln/detail/CVE-2025-62661
• https://phabricator.wikimedia.org/T397497

📤 Share This

Twitter LinkedIn Reddit Copy Link