CVE-2025-53485

CVE-2025-53485: SecurePoll: Unauthorized access to SetTranslationHandler allows arbitrary text changes

Vendor Wikimedia Foundation
Product Mediawiki - SecurePoll extension
Weakness CWE-862 · Missing authorization
Published July 4, 2025
Last update July 8, 2025

CVSS base score

What the vulnerability does

01Description

SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Key dates

02Disclosure timeline

July 4, 2025 CVE published
July 8, 2025 Record updated