CVE-2025-67646 identifies a CSRF vulnerability in the Telepedia TableProgressTracking extension for MediaWiki, specifically affecting versions prior to 1.2.1. This extension is designed to track progress against specific criteria within wiki tables. The vulnerability stems from the REST API's failure to enforce CSRF token validation, a critical security control that prevents unauthorized commands from being executed via forged requests. An attacker can exploit this by luring an authenticated user to a malicious webpage, which then silently issues unauthorized REST API requests to the wiki server. These requests can manipulate or delete progress tracking data without the user's consent. The attack requires the victim to be authenticated with at least limited privileges (PR:L) and involves user interaction (UI:R), such as visiting a malicious site. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and no impact on confidentiality or availability but limited impact on integrity (I:L). No known exploits are currently reported in the wild. The issue is resolved in version 1.2.1 of the extension, which implements proper CSRF token validation to ensure that only legitimate requests from authenticated users are processed.

For European organizations, the primary impact of this vulnerability lies in the potential unauthorized modification or deletion of progress tracking data within MediaWiki environments using the vulnerable TableProgressTracking extension. While the confidentiality and availability of the system remain unaffected, the integrity of tracked progress data can be compromised, potentially disrupting project management, compliance tracking, or collaborative workflows. Organizations relying heavily on MediaWiki for knowledge management, documentation, or internal collaboration may face operational inefficiencies or data integrity issues. The requirement for user interaction and authenticated access limits the attack scope but does not eliminate risk, especially in environments with many users and frequent external content access. The low CVSS score reflects the limited severity, but the impact could be more pronounced in sectors where accurate progress tracking is critical, such as government agencies, research institutions, and large enterprises prevalent in Europe.

European organizations should immediately upgrade the Telepedia TableProgressTracking extension to version 1.2.1 or later, where the CSRF validation issue is patched. Until the update is applied, administrators should consider disabling the REST API endpoints related to progress tracking if feasible or restricting access to trusted networks only. Implementing strict Content Security Policy (CSP) headers can help mitigate CSRF risks by limiting the domains that can execute scripts or send requests. Educating users about the risks of visiting untrusted websites while authenticated to internal wikis can reduce the likelihood of successful exploitation. Additionally, monitoring wiki logs for unusual REST API activity and employing web application firewalls (WAF) with CSRF protection rules can provide further defense layers. Regular security audits of MediaWiki extensions and configurations are recommended to identify and remediate similar issues proactively.