CVE-2025-62653 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in the MediaWiki PollNY extension versions 1.39, 1.43, and 1.44. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored and later executed in the context of users viewing the affected pages. Exploitation requires an attacker to have high privileges within the MediaWiki environment and involves partial user interaction, such as a victim visiting a compromised page. The vulnerability's CVSS v4.0 score is 2.0, indicating low severity due to the high attack complexity, the need for privileges, and limited impact on confidentiality, integrity, and availability. The vulnerability does not require authentication bypass or system-level access but can lead to session hijacking, defacement, or other client-side attacks if exploited. No public exploits or active exploitation have been reported to date. The vulnerability affects a specific extension rather than the core MediaWiki software, limiting the scope to installations that have enabled PollNY. The Wikimedia Foundation has published the vulnerability details but has not yet released patches, so users must monitor for updates. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in extensions that handle user-generated content.

For European organizations using MediaWiki with the PollNY extension, this vulnerability could allow attackers with high privileges to inject malicious scripts that execute in the browsers of users viewing affected pages. Potential impacts include session hijacking, theft of sensitive information, defacement of content, or distribution of malware via the compromised wiki pages. Although the CVSS score is low, the stored nature of the XSS means that once injected, the malicious payload could affect multiple users over time. This is particularly concerning for organizations relying on MediaWiki for internal knowledge management, collaboration, or public-facing documentation, as it could undermine trust and confidentiality. The impact on availability is minimal, but integrity and confidentiality risks exist at a limited scope. Since exploitation requires high privileges and user interaction, the threat is somewhat contained but still relevant for environments with many users or less stringent access controls. European organizations with regulatory requirements around data protection (e.g., GDPR) must consider the risk of data leakage or unauthorized access resulting from such XSS attacks.

Organizations should immediately audit their MediaWiki installations to determine if the PollNY extension is in use and identify affected versions (1.39, 1.43, 1.44). Until patches are released, restrict access to the extension's functionality to trusted, high-privilege users only. Implement strict input validation and output encoding on all user-generated content within the PollNY extension to prevent script injection. Monitor MediaWiki and Wikimedia Foundation advisories for official patches and apply them promptly once available. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. Conduct regular security reviews and penetration testing focused on extensions handling user input. Educate users about the risks of clicking on suspicious links or content within internal wikis. Finally, consider disabling or removing the PollNY extension if it is not essential to reduce the attack surface.