CVE-2025-62653

Vulnerability

Overview

The MediaWiki PollNY extension, versions 1.39, 1.43, and 1.44, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. The root cause is that system messages used by the extension are not properly escaped or sanitized before being rendered, allowing an attacker to inject arbitrary HTML and JavaScript code that persists on the page [1].

Exploitation

An attacker with the ability to edit or influence system messages (e.g., through a wiki configuration or by exploiting other privileges) can inject malicious script content into poll-related messages. When other users view the affected poll, the injected script executes in their browser context [1]. The attack does not require user interaction beyond viewing the page, and the injected payload is stored on the server, affecting all subsequent visitors [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive data such as cookies or authentication tokens. The severity is rated Low, likely due to the prerequisite of being able to modify system messages, which typically requires elevated privileges [1].

Mitigation

The Wikimedia Foundation has resolved the issue in the PollNY extension repository. Users should update to the latest patched version of the extension. No workaround is provided; applying the patch is the recommended action [1].