CVE-2025-11937 identifies a stored Cross-site Scripting (XSS) vulnerability in the SecurePoll extension of Mediawiki, an open-source wiki platform maintained by The Wikimedia Foundation. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the SecurePoll extension fails to adequately sanitize or encode user-supplied data before embedding it into HTML output, allowing malicious scripts to be stored persistently on wiki pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The affected version is the 'master' branch of the SecurePoll extension, indicating that the vulnerability exists in the latest development code at the time of disclosure. The CVSS v4.0 base score is 6.9, reflecting a medium severity level due to network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the vulnerability's nature as stored XSS makes it a significant risk for any Mediawiki deployment using this extension. The SecurePoll extension is often used to facilitate polling or voting features within Mediawiki, which can be attractive targets for attackers aiming to manipulate content or disrupt collaborative environments. The vulnerability was published on October 18, 2025, and no official patches or fixes have been linked at the time of this report. The Wikimedia Foundation is the assigner and vendor project responsible for addressing this issue.

For European organizations, the impact of CVE-2025-11937 can be substantial, especially for those relying on Mediawiki with the SecurePoll extension for internal knowledge bases, collaborative documentation, or public-facing content. Exploitation of this stored XSS vulnerability can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. This can compromise confidentiality by exposing sensitive information, integrity by altering content or poll results, and availability if malicious scripts disrupt normal operations. Public sector entities, educational institutions, and large enterprises in Europe often use Mediawiki for documentation and collaboration, making them potential targets. Additionally, reputational damage and regulatory consequences under GDPR may arise if personal data is exposed or manipulated. Although no exploits are currently known in the wild, the ease of exploitation (no authentication or user interaction required) increases the risk of future attacks. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise but still poses a meaningful threat to web application security and user trust.

To mitigate CVE-2025-11937, European organizations should take the following specific actions: 1) Immediately audit Mediawiki installations to identify use of the SecurePoll extension, particularly the affected 'master' branch version. 2) Temporarily disable or restrict access to the SecurePoll extension until an official patch or update is released by the Wikimedia Foundation. 3) Implement rigorous input validation and output encoding on all user-supplied data within the SecurePoll extension to prevent injection of malicious scripts. 4) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing Mediawiki pages. 5) Monitor web server and application logs for unusual input patterns or suspicious activity indicative of attempted XSS exploitation. 6) Educate users and administrators about the risks of stored XSS and encourage prompt reporting of suspicious behavior. 7) Once a patch is available, apply it promptly and verify that the vulnerability is resolved through security testing. 8) Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Mediawiki. These targeted measures go beyond generic advice by focusing on the specific extension and its usage context.