CVE-2025-7057

Vulnerability

Details

CVE-2025-7057 is a stored cross-site scripting (XSS) vulnerability in the Wikimedia Foundation MediaWiki Quiz Extension. The flaw arises from improper neutralization of user input during web page generation, specifically through a system message. An attacker can inject malicious JavaScript code that gets permanently stored and executed in the context of a victim's browser when the vulnerable page is viewed [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have the ability to manipulate a system message used by the Quiz Extension. This typically requires some level of authenticated access, such as a user with permissions to edit interface pages or system messages. No special network position is required; the attack is performed through standard web requests. The stored payload will then execute for any user who visits the affected page, including administrators [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of wiki pages, theft of sensitive data (e.g., user tokens, cookies), or performing actions on behalf of the victim. The risk rating assigned by the Wikimedia project is Low, but the impact can be significant depending on the privileges of the victim [1].

Mitigation

The vulnerability has been patched in the following versions: 1.39.13, 1.42.7, and 1.43.2. Users running earlier versions should upgrade immediately to a fixed release. There are no known workarounds other than upgrading. The issue is now resolved and listed as public [1].