Wikimedia Foundation — Vulnerabilities & Security Advisories 107

Browse all 107 CVE security advisories affecting Wikimedia Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Wikimedia Foundation operates the world’s largest collaborative encyclopedia platform, hosting Wikipedia and related projects that serve billions of monthly visitors. Its infrastructure relies on complex software stacks, including MediaWiki, which has historically been susceptible to various vulnerability classes. Common issues include cross-site scripting (XSS), SQL injection, and remote code execution (RCE) stemming from legacy code paths or misconfigurations. While the organization maintains a robust security posture with regular audits and bug bounty programs, the sheer scale of its codebase and the open nature of its editing model present unique challenges. Recent years have seen efforts to mitigate privilege escalation risks and improve input validation. Despite these ongoing technical hurdles, the Foundation remains a critical public resource, balancing transparency with the need to protect user data and system integrity against sophisticated cyber threats targeting its extensive digital footprint.

CVEs 107

CVE ID	Title	CVSS	Severity	Published
CVE-2025-7363	TitleIcon: Stored Cross-Site Scripting (XSS) via #titleicon_unicode parser function — Mediawiki - TitleIcon extensionCWE-79	5.4^AI	Medium^AI	2025-07-08
CVE-2025-7362	MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message — Mediawiki - MsUpload extensionCWE-79	5.4^AI	Medium^AI	2025-07-08
CVE-2025-53479	CheckUser: Reflected Cross-Site Scripting (XSS) in Special:CheckUser via unsanitized internationalized message — Mediawiki - CheckUser extensionCWE-79	6.1^AI	Medium^AI	2025-07-08
CVE-2025-53480	CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate (Account information tab) via unsanitized i18n messages — Mediawiki - CheckUser extensionCWE-79	6.1^AI	Medium^AI	2025-07-08
CVE-2025-53496	Stored XSS in MediaSearch — Mediawiki - MediaSearch ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-53488	Stored XSS in WikiHiero — Mediawiki - WikiHiero ExtensionCWE-79	5.4^AI	Medium^AI	2025-07-07
CVE-2025-53498	Lack of Audit Logging in AbuseFilter — Mediawiki - AbuseFilter ExtensionCWE-778	5.3^AI	Medium^AI	2025-07-07
CVE-2025-53499	Unauthorized Inspection of Protected Variables in AbuseFilter — Mediawiki - AbuseFilter ExtensionCWE-862	9.8^AI	Critical^AI	2025-07-07
CVE-2025-53495	Unauthorized Disclosure of IP Reputation in AbuseFilter — Mediawiki - AbuseFilter ExtensionCWE-862	9.8^AI	Critical^AI	2025-07-07
CVE-2025-53478	CheckUser: Reflected Cross-Site Scripting (XSS) in Special:Investigate via unsanitized i18n messages — Mediawiki - CheckUser extensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-53497	Stored XSS in RelatedArticles — Mediawiki - RelatedArticles ExtensionCWE-79	5.4^AI	Medium^AI	2025-07-07
CVE-2025-53491	XSS in FlaggedRevs — Mediawiki - FlaggedRevs ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-53487	ApprovedRevs: Stored Cross-Site Scripting (XSS) via unsanitized system messages — Mediawiki - ApprovedRevs extensionCWE-79	5.4^AI	Medium^AI	2025-07-07
CVE-2025-7057	Stored XSS in Quiz — Mediawiki - Quiz ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-53486	WikiCategoryTagCloud: Reflected Cross-Site Scripting (XSS) via linkstyle attribute in parser function — Mediawiki - WikiCategoryTagCloud extensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-7056	Stored XSS in UrlShortener — Mediawiki - UrlShortener ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-07
CVE-2025-53485	SecurePoll: Unauthorized access to SetTranslationHandler allows arbitrary text changes — Mediawiki - SecurePoll extensionCWE-862	5.3	-	2025-07-04
CVE-2025-53484	SecurePoll: Multiple locations vulnerable to Cross-Site Scripting (XSS) via unescaped input — Mediawiki - SecurePoll extensionCWE-79	6.1	-	2025-07-04
CVE-2025-53483	SecurePoll: Multiple admin actions vulnerable to Cross-Site Request Forgery — Mediawiki - SecurePoll extensionCWE-352	8.8	-	2025-07-04
CVE-2025-53482	IPInfo: Message key XSS through several IPInfo messages in infobox and popup — Mediawiki - IPInfo ExtensionCWE-79	6.1	-	2025-07-04
CVE-2025-53481	Denial of service vector on ipinfo/v0/norevision — Mediawiki - IPInfo ExtensionCWE-400	7.5	-	2025-07-04
CVE-2025-6926	Security Authentication Bypass in CentralAuth — Mediawiki - CentralAuth ExtensionCWE-287	9.8^AI	Critical^AI	2025-07-03
CVE-2025-53500	Stored XSS in MassEditRegex — Mediawiki - MassEditRegex ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-03
CVE-2025-53501	Content Access Bypass in Scribunto — Mediawiki - Scribunto ExtensionCWE-284	6.5^AI	Medium^AI	2025-07-03
CVE-2025-53502	HTML injection in FeaturedFeeds — Mediawiki - FeaturedFeeds ExtensionCWE-20	6.1^AI	Medium^AI	2025-07-03
CVE-2025-53489	XSS in GoogleDocs4MW — Mediawiki - GoogleDocs4MW ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-03
CVE-2025-53490	Multiple XSS in CampaignEvents — Mediawiki - CampaignEvents ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-03
CVE-2025-53492	Stored XSS in MintyDocs — Mediawiki - MintyDocs ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-02
CVE-2025-53493	Stored XSS in MintyDocs — Mediawiki - MintyDocs ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-02
CVE-2025-53494	Stored XSS in TwoColConflict — Mediawiki - TwoColConflict ExtensionCWE-79	6.1^AI	Medium^AI	2025-07-02

This page lists every published CVE security advisory associated with Wikimedia Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Wikimedia Foundation — Vulnerabilities & Security Advisories 107