CVE-2025-61650 is an XSS vulnerability classified under CWE-79, found in the Wikimedia Foundation's CheckUser tool, which is used to assist in identifying abusive users on Wikimedia projects. The vulnerability arises from improper neutralization of input during web page generation in the CheckUserUserInfoCardService.php file. This flaw allows an attacker to inject malicious scripts that could execute in the context of users viewing the affected pages. However, exploitation requires the attacker to have high privileges (PR:H) and user interaction (UI:P), which significantly limits the attack surface. The vulnerability affects all versions before the commit 795bf333272206a0189050d975e94b70eb7dc507. The CVSS 4.0 vector indicates network attack vector (AV:N), low complexity (AC:L), no authentication required (AT:N), but privileges required (PR:H), user interaction required (UI:P), and low impact on confidentiality (VC:L), with no impact on integrity or availability. No known exploits have been reported in the wild, suggesting limited active exploitation. The vulnerability could be used in targeted attacks against Wikimedia administrators or trusted users who access the CheckUser interface, potentially leading to session hijacking or credential theft. The Wikimedia Foundation should prioritize patching and enhancing input validation and output encoding in the affected service to prevent script injection. Organizations deploying Wikimedia CheckUser should review their access controls and monitor for suspicious activity.

For European organizations, the direct impact is limited due to the requirement for high privileges and user interaction, reducing the likelihood of widespread exploitation. However, Wikimedia projects and their administrative tools are widely used across Europe, especially in countries with large Wikimedia communities and infrastructure such as Germany, France, and the UK. If exploited, attackers could execute malicious scripts in the context of privileged users, potentially leading to session hijacking, unauthorized actions, or disclosure of sensitive administrative information. This could undermine trust in Wikimedia services and disrupt administrative operations. Given Wikimedia's role in providing open knowledge, any compromise could have reputational impacts and affect information integrity. The vulnerability does not affect the confidentiality, integrity, or availability of Wikimedia content directly but could impact administrative processes and user trust.

1. Apply the patch or commit 795bf333272206a0189050d975e94b70eb7dc507 as soon as it becomes available to remediate the vulnerability. 2. Implement strict input validation and output encoding in the CheckUserUserInfoCardService.php and related components to prevent script injection. 3. Restrict access to the CheckUser tool to only trusted, authenticated administrators with minimal necessary privileges. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the administrative interface. 5. Monitor logs and user activity for unusual patterns that may indicate attempted exploitation. 6. Educate privileged users about the risks of interacting with untrusted content and the importance of cautious browsing behavior. 7. Regularly review and update security controls around Wikimedia administrative tools to reduce attack surface.