User Input Injection Vulnerability in Mediawiki SecurePoll Extension
CVE-2025-53484

Currently unrated

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Securepoll Extension
Vendor: CVE Published:; 4 July 2025

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2025-53484?

The SecurePoll extension for Mediawiki is affected by a user input injection vulnerability due to improperly escaped user-controlled inputs. Specifically, attackers can exploit user input in the VotePage.php file for poll options and in the ResultPage methods, getPagesTab() and getErrorsTab(), where user-controlled page names are used without proper validation. This allows potential malicious actors to inject JavaScript code, leading to compromised user sessions under specific conditions. Users of affected versions should take immediate action to mitigate this risk.

Affected Version(s)

Mediawiki - SecurePoll extension 1.39.x < 1.39.13

Mediawiki - SecurePoll extension 1.42.x < 1.42.7

Mediawiki - SecurePoll extension 1.43.x < 1.43.2

References

https://phabricator.wikimedia.org/T392341

https://gerrit.wikimedia.org/r/1149669

https://gerrit.wikimedia.org/r/1149655

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2025
Vulnerability Reserved
Jun 30, 2025