MediaWiki SecurePoll Extension User Input JavaScript Injection Vulnerability

Vulnerability

A vulnerability exists in the MediaWiki SecurePoll extension, specifically in versions 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2. User-controlled inputs are not properly escaped in VotePage.php (poll option input) and ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names). This flaw allows attackers to inject JavaScript, potentially compromising user sessions under certain conditions.

Impact

Exploitation of this vulnerability could lead to JavaScript injection, allowing attackers to compromise user sessions.

Added: Jul 4, 2025, 6:17 PM

Updated: Jul 4, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.0

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.0

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MediaWiki SecurePoll Extension User Input JavaScript Injection Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating