CVE-2025-53479

The CheckUser extension's Special:CheckUser interface is vulnerable to reflected cross-site scripting (XSS). The vulnerability resides in the rev-deleted-user message, which is rendered without proper HTML escaping. This allows an attacker to inject arbitrary JavaScript into the page by manipulating the uselang parameter to use the x-xss language, a known testing mechanism for finding unescaped messages in MediaWiki interfaces [1].

The attack requires the server to have $wgUseXssLanguage enabled, and the attacker must craft a POST request to Special:CheckUser that includes a hidden uselang=x-xss parameter. Because the form uses POST, the attacker cannot simply append a query string; instead, they must modify the HTML of the POST form to include the hidden input field [1]. The vulnerability is triggered when the form is submitted and the rev-deleted-user message is rendered in the attacker's language.

A successful exploit could allow an attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to account takeover, data theft, or other malicious actions performed with the privileges of the victim user. The risk is rated Medium (CVSS 5.4), reflecting the need for a non-default configuration and a crafted POST request [1].

The vulnerability affects CheckUser versions from 1.42.0 before 1.42.7, and from 1.43.0 before 1.43.2. Patches have been prepared and backported to the affected versions. Administrators are advised to update to the latest patched versions as soon as possible. If updating is not immediate, disabling the $wgUseXssLanguage setting may mitigate the risk, though this may impact other testing scenarios [1].