Skip to main content

CVE-2025-53485: CWE-862 Missing Authorization in Wikimedia Foundation Mediawiki - SecurePoll extension

High
VulnerabilityCVE-2025-53485cvecve-2025-53485cwe-862
Published: Fri Jul 04 2025 (07/04/2025, 17:39:36 UTC)
Source: CVE Database V5
Vendor/Project: Wikimedia Foundation
Product: Mediawiki - SecurePoll extension

Description

SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

AI-Powered Analysis

AILast updated: 07/04/2025, 18:09:30 UTC

Technical Analysis

CVE-2025-53485 is a security vulnerability identified in the SecurePoll extension of the Wikimedia Foundation's MediaWiki software. The vulnerability is classified under CWE-862, which refers to missing authorization. Specifically, the issue arises in the SetTranslationHandler.php component, where the system fails to verify whether the user attempting to modify election-related translation text holds the necessary election administrator privileges. This flaw allows any user, including unauthenticated users, to alter translation content related to elections. Although newer versions of MediaWiki have partially addressed this issue, the authorization check remains incomplete in affected versions. The vulnerability impacts MediaWiki SecurePoll extension versions 1.39.x prior to 1.39.13, 1.42.x prior to 1.42.7, and 1.43.x prior to 1.43.2. No public exploits are currently known, and no CVSS score has been assigned yet. The vulnerability's root cause is the absence of proper authorization validation, enabling unauthorized modification of sensitive election-related data, which could undermine the integrity and trustworthiness of election processes managed through this extension.

Potential Impact

For European organizations, particularly those involved in governance, public administration, or any entities utilizing MediaWiki with the SecurePoll extension for election or polling purposes, this vulnerability poses a significant risk. Unauthorized modification of election-related translation texts can lead to misinformation, manipulation of election content, and erosion of public trust in digital election tools. This could affect the confidentiality and integrity of election data, potentially influencing voter perception or behavior. Additionally, since the vulnerability allows unauthenticated users to make changes, it broadens the attack surface, increasing the likelihood of exploitation by malicious actors. The impact extends beyond technical compromise to reputational damage and challenges to democratic processes, especially in countries where digital election tools are integrated into official workflows or public information dissemination.

Mitigation Recommendations

To mitigate this vulnerability, organizations should promptly upgrade the SecurePoll extension to the latest patched versions: 1.39.13 or later for the 1.39.x branch, 1.42.7 or later for the 1.42.x branch, and 1.43.2 or later for the 1.43.x branch. If immediate upgrading is not feasible, implement strict access controls at the web server or application firewall level to restrict access to the SetTranslationHandler.php endpoint only to trusted election administrators. Additionally, conduct thorough audits of election-related translation changes to detect unauthorized modifications. Employ monitoring and alerting mechanisms for unusual activity related to translation updates. Organizations should also review and harden their MediaWiki configurations to enforce robust authentication and authorization policies, ensuring that only authorized personnel can perform sensitive operations. Finally, consider isolating election-related MediaWiki instances from public access or deploying additional verification steps for translation changes to prevent unauthorized edits.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
wikimedia-foundation
Date Reserved
2025-06-30T15:20:44.462Z
Cvss Version
null
State
PUBLISHED

Threat ID: 686815556f40f0eb72a1e957

Added to database: 7/4/2025, 5:54:29 PM

Last enriched: 7/4/2025, 6:09:30 PM

Last updated: 7/4/2025, 6:09:30 PM

Views: 2

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats