CVE-2025-62652 is a Stored Cross-site Scripting (XSS) vulnerability categorized under CWE-79 that affects the MediaWiki WebAuthn extension versions 1.39, 1.43, and 1.44. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and later executed in the browsers of other users who view the affected pages. This type of vulnerability can be exploited by attackers who have limited privileges (low privileges required) and requires user interaction, such as clicking a crafted link or viewing a compromised page. The CVSS 4.0 vector indicates the attack can be performed remotely over the network with low complexity, but partial authentication is needed, and user interaction is required. The impact on confidentiality and integrity is high, as attackers can steal session cookies, perform actions on behalf of users, or manipulate displayed content, potentially leading to account compromise or misinformation. Availability impact is low. No known exploits are currently reported in the wild, but the presence of this vulnerability in widely used MediaWiki extensions poses a significant risk to organizations relying on collaborative platforms. The Wikimedia Foundation has not yet published patches, so users should monitor for updates. The vulnerability affects versions 1.39, 1.43, and 1.44 of the WebAuthn extension, which is used to enhance authentication mechanisms in MediaWiki installations.

For European organizations, the impact of CVE-2025-62652 can be significant, especially for public sector entities, educational institutions, and enterprises that use MediaWiki for knowledge management and collaboration. Exploitation could lead to unauthorized access to user accounts, theft of sensitive information, and manipulation of content, undermining trust and operational integrity. Given the collaborative nature of MediaWiki platforms, an attacker could leverage this vulnerability to spread misinformation or conduct phishing campaigns targeting users. The partial authentication requirement limits the attack surface but does not eliminate risk, as many users may have accounts with sufficient privileges to inject malicious content. The need for user interaction means social engineering could be used to facilitate exploitation. The vulnerability could also affect the integrity of critical documentation and internal communications, impacting compliance and regulatory requirements under GDPR and other European data protection laws. Organizations relying on MediaWiki for public-facing content or internal knowledge bases should consider this vulnerability a moderate threat that requires timely remediation to prevent reputational and operational damage.

1. Monitor the Wikimedia Foundation’s official channels for patches addressing CVE-2025-62652 and apply them promptly once available. 2. Until patches are released, restrict user permissions to the minimum necessary, especially limiting the ability to create or edit pages for users who do not require it. 3. Implement strict input validation and output encoding on all user-generated content within the MediaWiki WebAuthn extension to prevent injection of malicious scripts. 4. Deploy a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 5. Conduct regular security audits and code reviews focusing on input handling in MediaWiki extensions. 6. Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful social engineering. 7. Monitor logs and user activity for signs of exploitation attempts or unusual behavior indicative of XSS attacks. 8. Consider isolating or sandboxing the WebAuthn extension functionality if feasible to limit the scope of potential attacks. 9. Use web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting MediaWiki environments.