CVE-2025-67646 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Telepedia TableProgressTracking extension for MediaWiki, specifically in versions 1.2.0 and earlier. This extension is designed to track progress against specific criteria within wiki tables. The vulnerability stems from the REST API's failure to enforce CSRF token validation, a critical security control that prevents unauthorized commands from being executed on behalf of authenticated users. An attacker can exploit this by crafting a malicious webpage that, when visited by an authenticated user of a wiki running the vulnerable extension, causes the user's browser to send unauthorized requests to the wiki. These requests can manipulate progress tracking data, including deleting or altering table progress entries, without the user's consent. The attack requires the victim to be authenticated and to interact with the malicious page, limiting the attack surface. The CVSS v3.1 score is 3.5 (low severity), reflecting the limited impact on confidentiality and availability, the need for user interaction, and the requirement for at least low privileges. No known exploits are currently reported in the wild. The vulnerability is addressed in version 1.2.1 of the TableProgressTracking extension, which implements proper CSRF token validation in the REST API endpoints. Organizations using this extension should prioritize updating to the patched version to prevent potential misuse.

For European organizations, the impact of this vulnerability is primarily on the integrity of wiki data related to progress tracking within tables. While it does not compromise confidentiality or availability, unauthorized modification or deletion of progress data could disrupt project tracking, reporting, or collaborative workflows that rely on accurate progress information. This could lead to operational inefficiencies or misinformed decision-making in environments where MediaWiki is used for knowledge management, project tracking, or documentation. Public sector entities, educational institutions, and enterprises that use MediaWiki with the TableProgressTracking extension may experience data integrity issues if targeted. Although the vulnerability requires user interaction and authentication, targeted phishing or social engineering campaigns could increase exploitation risk. The low CVSS score indicates limited overall risk, but the potential for subtle data manipulation warrants attention in environments where data accuracy is critical.

European organizations should immediately upgrade the Telepedia TableProgressTracking extension to version 1.2.1 or later, which includes the necessary CSRF token validation fixes. Additionally, administrators should audit their MediaWiki installations to identify any instances of the vulnerable extension versions. Implementing Content Security Policy (CSP) headers can help reduce the risk of CSRF by restricting the domains from which scripts can be loaded. Organizations should also educate users about the risks of clicking on untrusted links or visiting suspicious websites while authenticated to sensitive internal systems. Where feasible, enforcing multi-factor authentication (MFA) can reduce the risk of session hijacking that might facilitate CSRF attacks. Monitoring wiki logs for unusual modification patterns or repeated REST API calls can help detect potential exploitation attempts. Finally, consider disabling or restricting the REST API endpoints related to progress tracking if they are not essential to reduce the attack surface.