How to fix EUVD-2025-20088?

Within 24 hours: Identify all MediaWiki instances running SecurePoll extension versions 1.39.x before 1.39.13, 1.42.x before 1.42.7, or 1.43.x before 1.43.2 using automated discovery tools. Within 7 days: Apply vendor-released patches by upgrading to SecurePoll 1.39.13, 1.42.7, or 1.43.2 or later depending on your MediaWiki version line. Within 30 days: Conduct a security audit of poll data and page configuration for signs of prior XSS injection and reset user sessions as a precaution.

Is PHP affected by EUVD-2025-20088?

CVE-2025-53484 is a critical stored cross-site scripting (XSS) vulnerability in MediaWiki's SecurePoll extension that allows attackers to inject malicious JavaScript through poll options and page names, potentially compromising user sessions and enabling account takeover for organizations running…

PHP EUVD-2025-20088

| CVE-2025-53484 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2025-07-04 c4f26cc8-17ff-4c99-b5e2-38fc1793eacc

PHP XSS

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:52 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.43.2,1.39.13,1.42.7

Analysis Generated

Mar 16, 2026 - 02:42 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 02:42 euvd

EUVD-2025-20088

CVE Published

Jul 04, 2025 - 18:15 nvd

CRITICAL 9.8

DescriptionNVD

User-controlled inputs are improperly escaped in:

* VotePage.php (poll option input)

* ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names)

This allows attackers to inject JavaScript and compromise user sessions under certain conditions.

This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Analysis

User-controlled inputs are improperly escaped in:

* VotePage.php (poll option input)

* ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names)

This allows attackers to inject JavaScript and compromise user sessions under certain conditions.

This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

EUVD-2025-20088 vulnerability details – vuln.today

Back

PHP EUVD-2025-20088

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code