CVE-2025-53478

Vulnerability

Overview

The CheckUser extension for MediaWiki is affected by a reflected Cross-Site Scripting (XSS) vulnerability in the Special:Investigate interface, specifically within the "IPs and User agents" tab. The root cause is improper escaping of certain internationalized (i18n) system messages that are rendered on this tab [1]. This allows an attacker to inject malicious script code that executes in the context of a victim's session.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must convince a target user to visit a specially crafted URL that triggers the vulnerable interface. The attack does not require any prior authentication from the attacker, but the victim must have access to the Special:Investigate page. The manipulation occurs through crafted i18n message parameters, bypassing the expected output escaping [1].

Impact

Successful exploitation could allow the attacker to execute arbitrary JavaScript in the victim's browser. This could lead to actions such as session hijacking, data exfiltration, or performing privileged actions on behalf of the victim. The severity is rated as Medium (CVSS v3: 5.4) due to the requirement for user interaction and the need for an authenticated session to reach the vulnerable page.

Mitigation

The vulnerability affects CheckUser versions: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, and from 1.43.X before 1.43.2. Administrators should upgrade to the fixed versions listed (1.39.13, 1.42.7, 1.43.2 or later) to remediate the issue. No workarounds are mentioned in the available references [1].