SQL Injection Vulnerability in ManageWiki MediaWiki Extension
CVE-2025-32956

8HIGH

Key Information:

Vendor

Miraheze

Status
Managewiki
Vendor
CVE Published:
21 April 2025
đź”” Create Miraheze Vulnerability Alert

What is CVE-2025-32956?

ManageWiki, a MediaWiki extension for managing wikis, is susceptible to SQL injection when renaming a namespace under certain conditions. This occurs in the Special:ManageWiki/namespaces management feature, particularly when a page prefix is used alongside an injection payload. The vulnerability exists in all versions before commit f504ed8. To mitigate the issue, users can disable namespace management by setting $wgManageWiki['namespaces'] = false;. A patch addressing this vulnerability has been introduced in commit f504ed8, enhancing the security of the extension.

Affected Version(s)

ManageWiki < f504ed8

References

https://github.com/miraheze/ManageWiki/security/advisorie...
x_refsource_CONFIRM
https://github.com/miraheze/ManageWiki/commit/f504ed8eeb5...
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.