CVE-2025-23074

CVE-2025-23074: Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)

Vendor Wikimedia Foundation
Product Mediawiki - SocialProfile Extension
Weakness CWE-200 · Info exposure
Published January 14, 2025
Last update January 31, 2025

CVSS base score

What the vulnerability does

01Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - SocialProfile Extension allows Functionality Misuse.This issue affects Mediawiki - SocialProfile Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Key dates

02Disclosure timeline

January 14, 2025 CVE published
January 31, 2025 Record updated