CVE-2025-62694 is a stored Cross-site Scripting (XSS) vulnerability identified in the WikiLove extension of Mediawiki version 1.39, developed by The Wikimedia Foundation. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, classified under CWE-79. This flaw allows attackers to inject malicious JavaScript code that is stored persistently within the application, which is then executed in the browsers of users who view the affected pages. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/PR:N). The impact includes potential theft of user credentials, session tokens, or other sensitive information, as well as the possibility of defacing content or distributing malware. Although no known exploits have been reported in the wild, the medium CVSS score of 6.9 reflects the significant risk posed by this vulnerability. The WikiLove extension is a popular add-on to Mediawiki that enables users to send virtual tokens of appreciation, making it a common feature in many Mediawiki deployments. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies to prevent exploitation.

For European organizations, the exploitation of this stored XSS vulnerability could lead to unauthorized access to user accounts, data leakage, and reputational damage. Since Mediawiki is widely used in educational institutions, government agencies, and enterprises across Europe for collaborative documentation and knowledge management, a successful attack could disrupt critical information workflows. Attackers could leverage this vulnerability to execute arbitrary scripts in the context of trusted users, potentially leading to session hijacking, privilege escalation, or the spread of malware within the network. The persistent nature of stored XSS increases the risk as malicious payloads remain active until removed. Given the collaborative and often public-facing nature of Mediawiki installations, the impact extends beyond internal users to external contributors and readers. This could undermine trust in organizational knowledge bases and lead to regulatory compliance issues, especially under GDPR if personal data is compromised.

Organizations should immediately assess their Mediawiki installations to determine if version 1.39 with the WikiLove extension is in use. Since no official patch is currently available, temporary mitigations include disabling the WikiLove extension until a fix is released. Implement strict input validation and output encoding on all user-generated content to prevent injection of malicious scripts. Deploy Content Security Policies (CSP) to restrict the execution of unauthorized scripts in browsers. Monitor web application logs for suspicious activities indicative of XSS exploitation attempts. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the wiki environment. Regularly update Mediawiki and its extensions to the latest versions once patches addressing this vulnerability are released. Consider employing web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Mediawiki. Conduct security audits and penetration testing focused on input handling and script injection vectors within the wiki platform.