CVE-2025-25287

Summary

CVE-2025-25287 is a cross-site scripting (XSS) vulnerability affecting the Lakeus theme for MediaWiki. This issue, present in versions prior to 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, allows an attacker to inject malicious scripts via system messages with high privileges. Specifically, the `(editinterface)` right holders can edit system messages that are mishandled in the themeDesigner.js file, leading to raw HTML injection. While the impact varies depending on the server configuration, in some cases, this vulnerability can affect all users, as it could potentially impact footer messages that are linked back to the Lakeus repository. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain patches to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.