CVE-2025-62667 identifies a stored Cross-site Scripting (XSS) vulnerability in the GrowthExperiments extension of Mediawiki, a widely used open-source wiki platform developed by The Wikimedia Foundation. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the extension fails to adequately sanitize user-supplied input before rendering it on web pages, enabling attackers to inject malicious JavaScript code that is stored persistently. When other users access the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability affects the master branch before version 1.39 of the GrowthExperiments extension. According to the CVSS 4.0 vector, the attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N), making exploitation relatively straightforward. The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), and the scope is limited (SC:L). No public exploits have been reported yet, but the presence of stored XSS in a popular extension used in Mediawiki installations poses a tangible risk, especially for organizations relying on Mediawiki for collaborative content management. The vulnerability was published on October 18, 2025, and no patches or fixes are currently linked, indicating the need for immediate attention from administrators.

For European organizations, this vulnerability poses a moderate risk primarily to those using Mediawiki with the GrowthExperiments extension, especially in sectors such as government, education, research institutions, and public services where Mediawiki is commonly deployed for documentation and collaboration. Exploitation could allow attackers to execute arbitrary scripts in the context of users' browsers, leading to theft of session cookies, unauthorized actions, or spreading malware internally. This can result in data leakage, defacement of wiki content, or disruption of collaborative workflows. Given the extension's usage in experimental growth features, the impact might be limited to specific deployments, but the risk of lateral movement or further exploitation remains. The vulnerability's ease of exploitation without authentication and user interaction increases the threat level for exposed public-facing Mediawiki instances. Additionally, compromised wikis could damage organizational reputation and trust. The medium severity rating reflects these factors, but the actual impact depends on the extent of the extension's deployment and the sensitivity of the hosted content.

European organizations should immediately audit their Mediawiki installations to determine if the GrowthExperiments extension is in use and identify affected versions. Until an official patch is released, administrators should consider disabling the GrowthExperiments extension to eliminate the attack surface. Implement strict input validation and output encoding on all user-supplied data within the extension to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the wiki. Monitor logs for unusual activity or injection attempts targeting the extension. Educate users about the risks of clicking on suspicious links or content within the wiki. Regularly update Mediawiki and its extensions to the latest secure versions once patches become available. For critical deployments, consider isolating the wiki environment behind additional security layers such as web application firewalls (WAF) configured to detect and block XSS payloads. Conduct penetration testing focused on XSS vulnerabilities to verify mitigation effectiveness.