CVE-2025-3469

Vulnerability

CVE-2025-3469 is a cross-site scripting (XSS) vulnerability in MediaWiki, caused by improper neutralization of user input during web page generation. The flaw resides in the includes/htmlform/fields/HTMLMultiSelectField.php file, where the software fails to sanitize or escape certain inputs before rendering them in web pages. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed in the context of the victim's browser session [1].

Exploitation

To exploit this vulnerability, an attacker must be able to submit crafted input through the HTMLMultiSelectField component, likely by editing a page or using a form that leverages this field type. The attack does not require any special network position; it can be carried out by any authenticated user with the ability to provide input that gets stored and later displayed to other users. The vulnerability is classified as cross-site scripting (XSS) and fits the "Stored" category when the injected script persists on the server [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected page. This can lead to session hijacking, theft of sensitive data, defacement, or further attacks against the wiki's users. Because MediaWiki is a widely deployed collaborative platform, the potential impact spans many installations, especially those running unpatched versions [1].

Mitigation

The Wikimedia Foundation has addressed this issue in MediaWiki versions 1.39.12, 1.42.6, and 1.43.1. All prior versions are affected. Users and administrators should update their MediaWiki installations to the patched versions as soon as possible. No workarounds are documented in the available references [1].