CVE-2025-32067

Vulnerability

The Growth Experiments extension for MediaWiki contains a stored Cross-Site Scripting (XSS) vulnerability in the internationalization message growthexperiments-homepage-suggestededits-tasktype-description-link-recommendation. The software fails to properly validate or sanitize input when rendering this message, allowing an attacker to inject malicious scripts [1].

Exploitation

An attacker with the ability to edit the affected message (typically users with editinterface rights) can inject arbitrary JavaScript. When other users view a page that uses this message, the script executes in their browser context. The attack does not require authentication for the victim, only for the attacker to modify the message [1].

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, performing administrative actions if the victim is an admin, or defacing the wiki. The vulnerability affects all versions from 1.39 to 1.43 inclusive [1].

Mitigation

The Wikimedia Foundation has acknowledged the issue in the Phabricator task T386963 and assigned it CVE-2025-32067. Administrators are advised to restrict editinterface rights to trusted users and apply any available patches from the extension's repository. As of the publication date, a patch may be in progress; users should monitor the extension's update channel [1].