Cross-Site Scripting Vulnerability in Wikimedia's SecurePoll Extension
CVE-2025-11937

6.9MEDIUM

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Securepoll Extension
Vendor: CVE Published:; 18 October 2025

🔔 Create The Wikimedia Foundation Vulnerability Alert

What is CVE-2025-11937?

The SecurePoll Extension of MediaWiki from the Wikimedia Foundation is affected by a Cross-Site Scripting (XSS) vulnerability, allowing attackers to inject malicious scripts that can be executed in the context of the user's session. This can lead to unauthorized actions being performed on behalf of victims or sensitive information being exposed. The vulnerability arises from improper handling of user inputs during website generation, highlighting the importance of sanitizing data to prevent such exploits.

Affected Version(s)

Mediawiki - SecurePoll Extension master

References

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Sec...

https://phabricator.wikimedia.org/T402076

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 18, 2025

Credit

SomeRandomDeveloper

JSON