CVE-2025-32700: AbuseFilter log interfaces expose global private and hidden filters when central DB is not available

2.3 CVSS

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseLog.Php, includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php, includes/View/AbuseFilterViewExamine.Php.

This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1.

Classification

CVE ID: CVE-2025-32700

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Green

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: Wikimedia Foundation

Product: MediaWiki

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 25.42% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32700
https://phabricator.wikimedia.org/T389235

Timeline

2025-04-10 19:40:15 UTC
CVE

AbuseFilter log interfaces expose global private and hidden filters when central DB is not available