CVE-2025-32700

The AbuseFilter extension for MediaWiki contains an information disclosure vulnerability in versions 1.43.0 up to, but not including, 1.43.1. The issue manifests in multiple program files: includes/Api/QueryAbuseLog.php, includes/Pager/AbuseLogPager.php, includes/Special/SpecialAbuseLog.php, and includes/View/AbuseFilterViewExamine.php. These components handle abuse log queries and display, and the vulnerability allows an unauthorized actor to access sensitive information that should be restricted.

An attacker can exploit this vulnerability without requiring special privileges, as the sensitive data exposure occurs through the normal operation of querying or paging through abuse logs. The unauthorized access is possible due to insufficient permission checks in the affected files, specifically when retrieving or rendering log entries that may contain private details about filtered actions or user information.

The impact is the exposure of sensitive information to unauthorized parties. This could include details about blocked edits, user account actions, or other abuse-filter-related metadata that is not intended for public view. The potential for harm is limited by the nature of the data exposed, but it still represents a breach of confidentiality for users or administrators whose actions are logged.

A fix has been released in AbuseFilter version 1.43.1. Users running version 1.43.0 are advised to update immediately. No workarounds have been publicly documented beyond applying the patch. The Wikimedia Foundation has acknowledged the issue in their Phabricator tracker [1].