CVE-2025-6595

4.7 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Wikimedia Foundation's MultimediaViewer component. Attackers can inject malicious scripts into web pages, potentially stealing user credentials or session cookies. Users of affected Wikimedia installations (like MediaWiki) with vulnerable MultimediaViewer versions are at risk.

💻 Affected Systems

Products:
  • Wikimedia Foundation MultimediaViewer
Versions: MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: This affects MediaWiki installations using the MultimediaViewer extension. The vulnerability is in the web page generation where user input isn't properly neutralized.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface pages, or redirect users to malicious sites, potentially compromising the entire wiki instance.

🟠

Likely Case

Attackers steal user session cookies or credentials from users who view maliciously crafted content, leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail, and users would only see sanitized content without script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity. The reference link suggests this was reported via Wikimedia's bug tracker, but no public exploit code is confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.39.13, 1.42.7, 1.43.2, 1.44.0 or later

Vendor Advisory: https://phabricator.wikimedia.org/T394863

Restart Required: No

Instructions:

1. Update MediaWiki to a patched version (1.39.13, 1.42.7, 1.43.2, or 1.44.0+). 2. Ensure the MultimediaViewer extension is updated if installed separately. 3. Clear caches if applicable.

🔧 Temporary Workarounds

Disable MultimediaViewer

all

Temporarily disable the MultimediaViewer extension to prevent exploitation.

Edit LocalSettings.php and add: $wgMediaViewerEnableByDefault = false;

Implement Content Security Policy (CSP)

all

Add a CSP header to restrict script execution from untrusted sources.

Add to web server config or application: Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';

🧯 If You Can't Patch

  • Implement strict input validation and output encoding for all user inputs in web pages.
  • Use web application firewalls (WAF) to filter malicious XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check the MediaWiki version and MultimediaViewer extension version. If using MediaWiki, verify version is below 1.39.13, 1.42.7, 1.43.2, or 1.44.0.

Check Version:

Check the MediaWiki version via Special:Version page or inspect the LocalSettings.php file.

Verify Fix Applied:

After updating, confirm the MediaWiki version is 1.39.13, 1.42.7, 1.43.2, or 1.44.0+ and test for XSS by attempting to inject scripts in user inputs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in user-generated content logs
  • Failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing suspicious script payloads in parameters
  • Unexpected redirects to external sites

SIEM Query:

source="web_server_logs" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-6595
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-79
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This