CVE-2025-25287 is a stored cross-site scripting (XSS) vulnerability identified in the Lakeus skin for MediaWiki, a popular open-source wiki platform. The vulnerability affects versions from 1.0.8 up to but not including 1.3.1+REL1.39. The root cause is improper neutralization of input during web page generation (CWE-79), specifically in the handling of system messages editable by users with high privileges (those with the 'editinterface' right). These system messages can contain raw HTML, which is not properly sanitized before being rendered. A notable example is the 'lakeus-footermessage' system message, which, if exploited, can affect all users visiting the MediaWiki instance if the server is configured to link back to the Lakeus repository. Other system messages in themeDesigner.js are only used if users enable the themeDesigner feature in their preferences, limiting exposure. The vulnerability allows an attacker with high privileges to inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has been patched in versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0. The CVSS v3.1 base score is 4.7 (medium severity), reflecting network attack vector, low attack complexity, required high privileges, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.

For European organizations using MediaWiki with the Lakeus skin in affected versions, this vulnerability poses a moderate risk. Since exploitation requires high privileges (editinterface rights), the threat is primarily from insider attackers or compromised administrator accounts. If exploited, malicious scripts could be injected into system messages, affecting all users who view these messages, potentially leading to session hijacking, unauthorized actions, or data leakage. This can undermine trust in internal knowledge bases or public-facing wikis, disrupt collaboration, and cause reputational damage. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance issues if user data is compromised. The impact is heightened for organizations with large user bases or those exposing MediaWiki instances to the internet. However, the requirement for high privileges and the absence of known active exploits reduce the immediate risk level.

1. Upgrade all affected MediaWiki instances using the Lakeus skin to version 1.3.1+REL1.39 or later, where the vulnerability is patched. 2. Restrict and audit 'editinterface' permissions rigorously to trusted administrators only, minimizing the risk of privilege abuse. 3. Review and sanitize existing system messages, especially 'lakeus-footermessage', to remove any potentially malicious HTML or scripts. 4. Disable or restrict the use of themeDesigner.js features unless explicitly required and ensure users enabling it are aware of potential risks. 5. Implement Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting sources and script execution. 6. Monitor MediaWiki logs for unusual edits to system messages or privilege escalations. 7. Educate administrators about the risks of injecting raw HTML in system messages and enforce secure coding practices when customizing skins or messages.