The Wikimedia Foundation — Vulnerabilities & Security Advisories 62

Browse all 62 CVE security advisories affecting The Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates non-profit digital platforms, most notably Wikipedia, facilitating global knowledge sharing through collaborative editing. Its infrastructure relies on complex web applications and databases, making it a frequent target for automated scanning and exploitation. Historical vulnerability records indicate a prevalence of cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF) flaws, stemming from the scale and diversity of its codebase contributions. While remote code execution (RCE) incidents are less common, they pose significant risks due to the platform’s critical nature. The organization employs rigorous code review processes and maintains a dedicated security team to address these issues. Despite these measures, the sheer volume of user-generated content and extensions creates a broad attack surface. The foundation’s response to security incidents typically involves rapid patching and transparency reports, aiming to maintain trust while mitigating the impact of discovered exploits on its vast user base.

CVEs 62

CVE ID	Title	CVSS	Severity	Published
CVE-2025-62668	Insufficient permission checks in action=growthsetmentor — Mediawiki - GrowthExperiments ExtensionCWE-276	7.5^AI	High^AI	2025-10-18
CVE-2025-62669	UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks — Mediawiki - CentralAuth ExtensionCWE-200	7.5^AI	High^AI	2025-10-18
CVE-2025-62670	Stored XSS through a system message in FlexDiagrams — Mediawiki - FlexDiagrams ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18
CVE-2025-62671	Stored XSS through wikitext in Cargo — Mediawiki - Cargo ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18
CVE-2025-62662	Stored XSS through system messages in AdvancedSearch — Mediawiki - AdvancedSearch ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18
CVE-2025-62663	Stored XSS through a system message in UploadWizard — Mediawiki - UploadWizard ExtensionCWE-79	6.1^AI	Medium^AI	2025-10-18
CVE-2025-62664	Stored XSS through a system message in ImageRating — Mediawiki - ImageRating ExtensionCWE-79	5.4^AI	Medium^AI	2025-10-18
CVE-2025-62655	SQL injection in Cargo via Special:CargoExport — MediaWiki Cargo extensionCWE-89	9.8^AI	Critical^AI	2025-10-17
CVE-2025-62654	Stored XSS through system messages in QuizGame — MediaWiki QuizGame extensionCWE-79	5.4^AI	Medium^AI	2025-10-17
CVE-2025-62653	Stored XSS through system messages in PollNY — MediaWiki PollNY extensionCWE-79	6.1^AI	Medium^AI	2025-10-17
CVE-2025-62652	Stored XSS in WebAuthn key name — MediaWiki WebAuthn extensionCWE-79	5.4^AI	Medium^AI	2025-10-17
CVE-2025-32077	XSSes in Extension:SimpleCalendar — Mediawiki - Extension:SimpleCalendarCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32078	XSSes and potential RCE in Special:VersionCompare — Mediawiki - Version Compare ExtensionCWE-116	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32079	Saving the right content to MediaWiki:GrowthMentors.json can take down the site — Mediawiki - GrowthExperimentsCWE-20	7.5^AI	High^AI	2025-04-11
CVE-2025-32080	Cross-origin data leak in mobilefrontend via lazy load images — Mediawiki - Mobile Frontend ExtensionCWE-200	5.3^AI	Medium^AI	2025-04-11
CVE-2025-32076	Evil regex used to process user-provided data in VisualData — Mediawiki - Visual Data ExtensionCWE-20	7.5^AI	High^AI	2025-04-11
CVE-2025-32072	HTML injection in feed output from i18n message — Mediawiki Core - Feed UtilsCWE-116	6.5^AI	Medium^AI	2025-04-11
CVE-2025-32073	System message XSS in HTMLTags — Mediawiki - HTML TagsCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32074	XSSes in Extension:ConfirmAccount — Mediawiki - Confirm Account ExtensionCWE-116	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32075	IP and user agent leaks in Extension:Tabs — Mediawiki - Tabs ExtensionCWE-20	9.8^AI	Critical^AI	2025-04-11
CVE-2025-32067	i18n XSS vulnerability in message growthexperiments — Mediawiki - Growth Experiments ExtensionCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32068	Revoking authorization of OAuth2 consumer does not invalidate refresh tokens — Mediawiki - OAuth ExtensionCWE-863	9.8^AI	Critical^AI	2025-04-11
CVE-2025-32069	Wikitext stored XSS on filepages due to dangerous WBMI serialization — Mediawiki - Wikibase Media Info ExtensionCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32070	XSSes in AJAXPoll — Mediawiki - AJAX Poll ExtensionCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2025-32071	Wikibase CommonsInlineImageFormatter: i18n XSS — Mediawiki - Wikidata ExtensionCWE-20	6.1^AI	Medium^AI	2025-04-11
CVE-2024-47841	Path traversal when loading stylesheets — Mediawiki - CSS ExtensionCWE-22	7.5	-	2024-10-05
CVE-2024-47840	Stored XSS through sidebar in Apex skin — Mediawiki - Apex skinCWE-79	6.1	-	2024-10-05
CVE-2024-47847	Various XSSes found in Cargo — Mediawiki - CargoCWE-79	6.1	-	2024-10-05
CVE-2024-47846	Special:DeleteCargoTable and Special:SwitchCargoTable have no CSRF protection — Mediawiki - CargoCWE-352	8.8	-	2024-10-05
CVE-2024-47849	Backticks can allow the usage of not-allowed SQL functions — Mediawiki - CargoCWE-89	9.8	-	2024-10-05

This page lists every published CVE security advisory associated with The Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

The Wikimedia Foundation — Vulnerabilities & Security Advisories 62