VYPR
← All advisories
Medium severityNVD Advisory· Published Oct 5, 2024· Updated Apr 15, 2026

CVE-2024-47848

CVE-2024-47848

Description

A blocked user with patroller permissions can still review/unreview articles in MediaWiki PageTriage due to a misplaced permission check, allowing authentication bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A blocked user with patroller permissions can still review/unreview articles in MediaWiki PageTriage due to a misplaced permission check, allowing authentication bypass.

Vulnerability

Details

The vulnerability resides in the PageTriage extension for MediaWiki. The root cause is a logic error in the permission check order: the code first checks if the user has patroller or autopatrolled roles and returns true immediately, before checking if the user is blocked [1]. This means that a blocked user who still holds patroller permissions can bypass the block restriction and perform review or unreview actions on articles.

Exploitation

An attacker needs a MediaWiki account that has been blocked but still retains patroller or autopatrolled permissions. By navigating to a newly created or existing page, the attacker can mark it as reviewed or unreviewed, even though the block should prevent such actions [1]. The attack requires no special network position beyond normal wiki access.

Impact

Successful exploitation allows an authenticated but blocked user to bypass the intended access control. This can undermine moderation workflows, as blocked users can manipulate the review status of articles, potentially hiding problematic content or falsely marking pages as reviewed.

Mitigation

The issue has been fixed in PageTriage versions 1.39.9, 1.41.3, and 1.42.2 [2]. Users running affected versions should update immediately. No workaround is available; the fix reorders the permission checks to evaluate the block status before granting review privileges [1].

References
  1. T366991 CVE-2024-47848: User can review/unreview articles while blocked
  2. T368628 Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2)

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Wikimedia Foundation/Mediawiki Extensions Pagetriageinferred2 versions
    >=1.39.0,<1.39.9 || >=1.41.0,<1.41.3 || >=1.42.0,<1.42.2+ 1 more
    • (no CPE)range: >=1.39.0,<1.39.9 || >=1.41.0,<1.41.3 || >=1.42.0,<1.42.2
    • (no CPE)range: >=1.39.0 <1.39.9, >=1.41.0 <1.41.3, >=1.42.0 <1.42.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.