CVE-2025-61654 Overview
A vulnerability has been identified in the Wikimedia Foundation Thanks extension, specifically associated with the includes/ThanksQueryHelper.php program file. This issue affects Thanks versions prior to 1.43.4 and 1.44.1.
The Thanks extension is a MediaWiki extension that allows users to send "thank you" notifications to other users who have contributed to the wiki. The vulnerability exists in the query helper component of this extension.
Critical Impact
This vulnerability affects MediaWiki installations using the Thanks extension. Organizations running vulnerable versions should update to the patched releases.
Affected Products
- Wikimedia Foundation Thanks extension versions before 1.43.4
- Wikimedia Foundation Thanks extension version 1.44.0 (before 1.44.1)
- MediaWiki installations with vulnerable Thanks extension
Discovery Timeline
- 2026-02-03 - CVE-2025-61654 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-61654
Vulnerability Analysis
The vulnerability resides in the ThanksQueryHelper.php file within the Thanks extension's includes directory. This component is responsible for handling database queries related to the thanks functionality in MediaWiki.
While specific technical details about the exploitation method have not been fully disclosed, the vulnerability is associated with the query helper mechanism that processes user-related thanks operations. The issue is accessible over the network and requires low-privilege authentication to interact with the affected component.
For additional technical information, refer to the Wikimedia Phabricator Ticket T397497 which tracks this security issue.
Root Cause
The root cause of this vulnerability lies within the ThanksQueryHelper.php file in the Thanks extension. The specific implementation details that led to this vulnerability are documented in the Wikimedia Foundation's internal tracking system. The issue has been addressed in the patched versions 1.43.4 and 1.44.1.
Attack Vector
The vulnerability can be exploited over the network (Network attack vector). An attacker would need low-level privileges (authenticated access) to interact with the vulnerable component. No user interaction is required for exploitation.
The attack targets the query helper functionality within the Thanks extension, which handles database operations for the thanks feature in MediaWiki installations.
Detection Methods for CVE-2025-61654
Indicators of Compromise
- Unusual activity or requests targeting the Thanks extension API endpoints
- Unexpected database query patterns related to thanks operations
- Anomalous access patterns to ThanksQueryHelper.php or related extension files
Detection Strategies
- Monitor MediaWiki application logs for unusual requests to the Thanks extension
- Review web server access logs for suspicious patterns targeting extension endpoints
- Implement file integrity monitoring on the includes/ThanksQueryHelper.php file
- Audit MediaWiki extension configurations and access patterns
Monitoring Recommendations
- Enable detailed logging for MediaWiki extensions, particularly the Thanks module
- Set up alerts for unusual query patterns or error rates in the Thanks extension
- Monitor for unauthorized access attempts to authenticated MediaWiki features
- Track extension version information to ensure patched versions are deployed
How to Mitigate CVE-2025-61654
Immediate Actions Required
- Identify all MediaWiki installations running the Thanks extension
- Verify the current version of the Thanks extension in your environment
- Update to Thanks version 1.43.4 or 1.44.1 immediately
- Review extension access logs for any suspicious activity prior to patching
Patch Information
Wikimedia Foundation has released patched versions to address this vulnerability:
- Version 1.43.4 - For installations on the 1.43.x branch
- Version 1.44.1 - For installations on the 1.44.x branch
Updates can be obtained through the standard MediaWiki extension distribution channels. For detailed information about this issue, consult the Wikimedia Phabricator Ticket T397497.
Workarounds
- Temporarily disable the Thanks extension if immediate patching is not possible
- Restrict access to the Thanks extension functionality to trusted users only
- Implement additional access controls at the web server level for extension endpoints
- Monitor and audit all activity related to the Thanks extension until patched
# Configuration example - Disable Thanks extension temporarily in LocalSettings.php
# Comment out or remove the Thanks extension loading line:
# wfLoadExtension( 'Thanks' );
# After patching, re-enable by uncommenting:
wfLoadExtension( 'Thanks' );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
