CVE-2025-53491

Vulnerability

Overview CVE-2025-53491 is a cross-site scripting (XSS) vulnerability in the Wikimedia Foundation's FlaggedRevs extension for MediaWiki. The issue resides in the Special:PendingChanges page, where the extension fails to properly neutralize user-supplied input during web page generation. Specifically, the vulnerability stems from improper handling of internationalization (i18n) strings, allowing an attacker to inject arbitrary JavaScript or HTML into the page output [1].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have the ability to contribute content that appears in the pending changes review interface. This typically requires an account with edit privileges on a wiki using the FlaggedRevs extension. The injected payload is stored and subsequently executed when a reviewer or administrator views the Special:PendingChanges page. No special network position is required beyond standard web access [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication tokens. The CVSS v3 base score of 5.4 (Medium) reflects the need for user interaction and the potential for partial impact on confidentiality and integrity [1].

Mitigation

The vulnerability has been patched in FlaggedRevs version 1.43.2. Users running MediaWiki 1.43.x with the FlaggedRevs extension should upgrade to the latest release immediately. No workarounds have been documented, and the issue is considered resolved in the referenced Phabricator task [1].