Platform
php
Component
tableprogresstracking
Fixed in
1.2.2
CVE-2025-67646 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the TableProgressTracking MediaWiki extension. This flaw allows an attacker to perform unauthorized actions on behalf of an authenticated user. Versions 1.2.0 and earlier are vulnerable, while version 1.2.1 addresses the issue with proper CSRF token validation.
The core impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the TableProgressTracking extension without the victim's knowledge. An attacker could craft a malicious webpage that, when visited by an authenticated user, would trigger actions such as deleting existing progress tables or creating new tracking entries. This could lead to data loss, inaccurate reporting, or disruption of tracking processes within the MediaWiki environment. The severity is considered LOW, but the potential for unauthorized modification of tracking data warrants prompt remediation.
This vulnerability was publicly disclosed on December 10, 2025. No public proof-of-concept (PoC) code has been released as of this date. The vulnerability is not currently listed on the CISA KEV catalog. Given the CSRF nature and the relatively low CVSS score, the probability of active exploitation is considered low, but vigilance is still advised.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67646 is to upgrade the TableProgressTracking extension to version 1.2.1 or later. This version incorporates CSRF token validation, effectively preventing unauthorized actions. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests lacking valid CSRF tokens. While not a complete solution, this can provide a temporary layer of protection. Thoroughly review MediaWiki's security best practices and ensure proper user authentication and authorization mechanisms are in place.
Update the TableProgressTracking extension to version 1.2.1 or higher. This version fixes the CSRF vulnerability in the REST API. The update will prevent attackers from executing unauthorized actions on behalf of authenticated users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67646 is a Cross-Site Request Forgery (CSRF) vulnerability in the TableProgressTracking MediaWiki extension, allowing attackers to perform actions as authenticated users.
You are affected if you are using TableProgressTracking MediaWiki extension versions 1.2.0 or earlier.
Upgrade the TableProgressTracking extension to version 1.2.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
There is no confirmed active exploitation of CVE-2025-67646 as of December 10, 2025, but vigilance is still advised.
Refer to the official MediaWiki security advisories for details and updates regarding CVE-2025-67646.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.