CVE-2025-32070

Vulnerability

Overview The AJAX Poll extension for MediaWiki fails to properly escape certain poll-related interface messages, leading to a Cross-Site Scripting (XSS) vulnerability [1]. This improper input validation issue allows an attacker to inject malicious scripts into poll display elements by manipulating system messages such as ajaxpoll-no-vote-results-after-voting [1]. The vulnerability affects versions 1.39 through 1.43 of the extension.

Exploitation

An attacker who can edit system messages (typically users with editinterface permission) can set a vulnerable message to an XSS payload. When a poll is rendered that displays that message, the payload executes [1]. The attack requires the ability to modify system messages, which is often limited to administrators or trusted users.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, defacement, or redirection to malicious sites. The XSS can affect any user who views a poll that triggers the vulnerable message.

Mitigation

The Wikimedia Foundation has released security patches for the affected branches (REL1_39, REL1_42, REL1_43, and master) that properly escape interface messages [1]. Administrators should update to the latest patched version of the extension immediately. No workaround is available other than applying the patch.