MediaWiki Extensions and Skins Security Release Supplement (1.39.13/1.42.7/1.43.2) - MediaWiki-announce

9 Jul 2025


      Greetings-
With the security/maintenance release of MediaWiki 1.39.13/1.42.7/1.43.2,
we would also like to provide this supplementary announcement of MediaWiki
extensions and skins with now-public Phabricator tasks, security patches
and backports [1]:
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-gg42-cv66-f5...,
CVE-2025-32956) - SQL injection vulnerability in NamespaceMigrationJob
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb59b57ebb90f93cd44f23...
IPInfo
+ (T392976 https://phabricator.wikimedia.org/T392976, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I474b7a1b3bc1e7597fee0826a18a0cf042359f0f
IPInfo
+ (T392976 https://phabricator.wikimedia.org/T392976, CVE-2025-53481) -
Denial of service vector on ipinfo/v0/norevision
https://gerrit.wikimedia.org/r/q/I08a7154f8fa08bb6f0940e522075bdc2a3d4433f
IPInfo
+ (T394393 https://phabricator.wikimedia.org/T394393, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1146685
IPInfo
+ (T394393 https://phabricator.wikimedia.org/T394393, CVE-2025-53482) -
IPInfo: Message key XSS through several IPInfo messages in infobox and popup
https://gerrit.wikimedia.org/r/q/Ibb9b7dcb04f551a3da32e9de09a8ac11caa2a3aa
SecurePoll
+ (T392341 https://phabricator.wikimedia.org/T392341, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/1149618
SecurePoll
+ (T392341 https://phabricator.wikimedia.org/T392341, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I5fb4da635b538b6ef121ae77d9088737fd8bf0de
SecurePoll
+ (T392341 https://phabricator.wikimedia.org/T392341, CVE-2025-53483) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/I7a771f81cc72bd5c6242767cf3f5e19fa140accc
SecurePoll
+ (T392341 https://phabricator.wikimedia.org/T392341, CVE-2025-53485) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Iaaae70289464b8f097ff8d2d6c828ddf942d2d60
SecurePoll
+ (T392341 https://phabricator.wikimedia.org/T392341, CVE-2025-53484) -
SecurePoll is vulnerable to XSS, CSRF, and lack of authorisation
https://gerrit.wikimedia.org/r/q/Id6e0c8c3020c293460010ef0019bc6c40d43b596
WikiCategoryTagCloud
+ (T394590 https://phabricator.wikimedia.org/T394590, CVE-2025-53486) -
Reflected XSS in WikiCategoryTagCloud
https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30b1bd09ebb48fcfd17
ApprovedRevs
+ (T394383 https://phabricator.wikimedia.org/T394383, CVE-2025-53487) -
Stored XSS through system messages in Extension:ApprovedRevs
https://gerrit.wikimedia.org/r/q/Ifcab085111e7898da485a5e2ae287fee4e6d167b
CheckUser
+ (T394692 https://phabricator.wikimedia.org/T394692, CVE-2025-53478) -
Special:Investigate 'IPs and User agents' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I3a1e21b6800ff4d813a33ee9fe9b7ccf070b6b2e
CheckUser
+ (T394693 https://phabricator.wikimedia.org/T394693, CVE-2025-53479) -
Special:CheckUser has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I159e14543912cb3bc7f4a00c3090c0285b154786
CheckUser
+ (T394700 https://phabricator.wikimedia.org/T394700, CVE-2025-53480) -
Special:Investigate 'Account information' tab has i18n XSS vectors
https://gerrit.wikimedia.org/r/q/I777fc55fef15c3b00df0db268af2b64cb2d6e381
MsUpload
+ (T394864 https://phabricator.wikimedia.org/T394864, CVE-2025-7362) -
Stored XSS through a system message in MsUpload
https://gerrit.wikimedia.org/r/q/Icf4c0a5a936926ea887ca2e48c3a7bd297201d9f
TitleIcon
+ (T394721 https://phabricator.wikimedia.org/T394721, CVE-2025-7363) -
XSS in TitleIcon
https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f02726ed24b1ae74429
TwoColConflict
+ (T394938 https://phabricator.wikimedia.org/T394938, CVE-2025-53494) -
Stored XSS in TwoColConflict
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TwoColConflict/+/11500...
MintyDocs
+ (T395376 https://phabricator.wikimedia.org/T395376, CVE-2025-53493) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1151800
MintyDocs
+ (T395737 https://phabricator.wikimedia.org/T395737, CVE-2025-53492) -
Stored XSS in MintyDocs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MintyDocs/+/1152771
FlaggedRevs
+ (T394397 https://phabricator.wikimedia.org/T394397, CVE-2025-53491) -
Stored XSS in FlaggedRevs
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FlaggedRevs/+/1165929
CampaignEvents
+ (T395622 https://phabricator.wikimedia.org/T395622, CVE-2025-53490) -
Multiple XSS in CampaignEvents
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CampaignEvents/+/11659...
GoogleDocs4MW
+ (T395949 https://phabricator.wikimedia.org/T395949, CVE-2025-53489) -
XSS in GoogleDocs4MW
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleDocs4MW/+/115526...
wikihiero
+ (T396524 https://phabricator.wikimedia.org/T396524, CVE-2025-53488) -
Stored XSS in WikiHiero
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/wikihiero/+/1166018
RelatedArticles
+ (T396413 https://phabricator.wikimedia.org/T396413, CVE-2025-53497) -
Stored XSS in RelatedArticles
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RelatedArticles/+/1166...
MediaSearch
+ (T396946 https://phabricator.wikimedia.org/T396946, CVE-2025-53496) -
Stored XSS in MediaSearch
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MediaSearch/+/1166030
AbuseFilter
+ (T396750 https://phabricator.wikimedia.org/T396750, CVE-2025-53495) -
Unauthorized Disclosure of IP Reputation in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040
AbuseFilter
+ (T397196 https://phabricator.wikimedia.org/T397196, CVE-2025-53499) -
Unauthorized Inspection of Protected Variables in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166045
AbuseFilter
+ (T397221 https://phabricator.wikimedia.org/T397221, CVE-2025-53498) -
Lack of Audit Logging in AbuseFilter
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166844
FeaturedFeeds
+ (T392279 https://phabricator.wikimedia.org/T392279, CVE-2025-53502) -
HTML injection in FeaturedFeeds
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FeaturedFeeds/+/114974...
Scribunto
+ (T397524 https://phabricator.wikimedia.org/T397524, CVE-2025-53501) -
Content Access Bypass in Scribunto
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Scribunto/+/1164541
MassEditRegex
+ (T397334 https://phabricator.wikimedia.org/T397334, CVE-2025-53500) -
Stored XSS in MassEditRegex
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/MassEditRegex/+/116387...
CentralAuth
+ (T389010 https://phabricator.wikimedia.org/T389010, CVE-2025-6926) -
Security Authentication Bypass in CentralAuth
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1165117
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-ccrf-x5rp-gp...,
CVE-2025-32964) - ManageWiki Vulnerable To Permission Bypass When Disabling
Extensions Requiring Certain Permissions In Special:ManageWiki/Extensions
https://github.com/miraheze/ManageWiki/commit/00bebea43a3e3ff0157b5f04df17c1...
ManageWiki
+ (
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-859x-46h8-vc...,
CVE-2025-43861) - ManageWiki Vulnerable to Self-XSS in review dialog via
unsanitized field reflection
https://github.com/miraheze/ManageWiki/commit/2f177dc83b28b727613215b835d403...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-49575) - Citizen Allows Stored XSS In Command Palette Tip Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d0...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-49576) - Citizen Allows Stored XSS In Search No Result Messages
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac77...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-49577) - Citizen Allows Stored XSS In Preference Menu Headings
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac77...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-49578) - Citizen Allows Stored XSS In User Registration Date
Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/64cb5d7ab...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-49579) - Citizen Allows Stored XSS In Menu Heading Message
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d4...
TabberNeue
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/security...,
CVE-2025-53093) - TabberNeue Vulnerable To Stored XSS Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/commit/4...
ShortDescription
+ (
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/se...,
CVE-2025-53369) - Citizen Short Description Stored XSS Vulnerability
Through Wikitext
https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/co...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-53368) - Citizen Is Vulnerable To Stored XSS Attack In The Legacy
Search Bar
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb33...
Citizen
+ (
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisor...,
CVE-2025-53370) - Citizen Stored XSS Vulnerability Through Short
Descriptions
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bdd...
UrlShortener
+ (T394869 https://phabricator.wikimedia.org/T394869, CVE-2025-7056) -
Stored XSS in UrlShortener
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/UrlShortener/+/1166268
Quiz
+ (T394612 https://phabricator.wikimedia.org/T394612, CVE-2025-7057) -
Stored XSS in Quiz
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Quiz/+/1166274
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security@wikimedia.org
or file a security task within Phabricator [3].
[1] https://phabricator.wikimedia.org/T389312
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs