CVE-2025-53482

Vulnerability

Description

The IPInfo extension for MediaWiki is vulnerable to cross-site scripting (XSS) due to improper neutralization of input during web page generation. The vulnerability resides in how the extension processes and renders IPInfo messages in the infobox and popup components. Specifically, message keys are not sanitized, allowing an attacker to inject arbitrary JavaScript or HTML. This issue affects versions 1.39.x before 1.39.13, 1.42.x before 1.42.7, and 1.43.x before 1.43.2 [1].

Exploitation

An attacker can exploit this flaw by crafting a malicious message key that, when rendered by the IPInfo extension, executes in the context of the user's browser. The attack requires the ability to influence the message keys used by the extension, which may be achievable through various means such as manipulating input fields that feed into these messages. The XSS then triggers when a victim views a page that contains the IPInfo infobox or popup [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. As the vulnerability is present in widely used MediaWiki infrastructure, the impact could affect many wikis and their users.

Mitigation

The Wikimedia Foundation has addressed this vulnerability in updated versions of the IPInfo Extension. Users are advised to upgrade to the following patched versions: 1.39.13, 1.42.7, or 1.43.2, or later. No workarounds have been provided, but restricting the ability to edit message keys may reduce risk. The vulnerability does not appear on CISA's Known Exploited Vulnerabilities list as of the publication date [1].