CVE-2025-23079

Vulnerability

Overview

CVE-2025-23079 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation's MediaWiki ArticleFeedbackv5 extension. The flaw arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into pages rendered by the extension. The issue affects all versions of the extension from 1.42.X up to (but not including) 1.42.2 [1].

Exploitation

Vectors

The vulnerability can be triggered through multiple system messages used by the extension, such as articlefeedbackv5-activity-pane-header, articlefeedbackv5-bucket?-title, and pipe-separator. An attacker can exploit these by manipulating the uselang parameter (e.g., ?uselang=x-xss) on a page with feedback enabled, or by performing a series of actions like leaving feedback, marking it as inappropriate, and requesting oversight, then refreshing the page to view the activity pane. The injected script executes in the context of the victim's browser session, bypassing the same-origin policy [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected MediaWiki instance. This can lead to session hijacking, defacement, theft of sensitive data (such as authentication tokens), or further attacks against other users. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction and the requirement that the extension be enabled, but the impact on confidentiality and integrity is significant [1].

Mitigation

The vulnerability has been patched in MediaWiki ArticleFeedbackv5 version 1.42.2. Users running earlier versions should upgrade immediately. As noted in the advisory, the extension was not yet installed on Miraheze at the time of discovery, but any deployment using the affected versions is at risk. No workarounds are documented; the recommended action is to apply the update [1].