CVE-2023-45372 in Wikibase Extension
Summary
by MITRE • 10/25/2023
An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. During item merging, ItemMergeInteractor does not have an edit filter running (e.g., AbuseFilter).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2023-45372 resides within the Wikibase extension for MediaWiki, a widely used semantic data extension that enables collaborative creation and management of structured data. This flaw affects multiple versions of MediaWiki including releases prior to 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1, creating a substantial attack surface across various deployment environments. The issue specifically manifests during the item merging process, which is a core functionality allowing administrators and users to consolidate duplicate or related data items within the semantic database. The vulnerability stems from the absence of proper edit filtering mechanisms within the ItemMergeInteractor component, which is responsible for handling the merging operations between different data items. This component operates without the protective layers that typically govern edit operations, leaving the merging process exposed to potentially malicious or unauthorized modifications.
The technical nature of this vulnerability aligns with CWE-345: Insufficient Verification of Data Authenticity, as the system fails to validate the integrity and legitimacy of merge operations before execution. The lack of an edit filter such as AbuseFilter means that any user with appropriate permissions can perform item merges without the standard checks that would normally prevent harmful modifications. This creates a significant risk where malicious actors could exploit the merge functionality to introduce corrupted data, manipulate semantic relationships, or potentially execute denial of service attacks by merging items in ways that disrupt database integrity. The vulnerability represents a critical gap in the security architecture of the Wikibase extension, as it bypasses fundamental access control and data validation mechanisms that should normally protect against unauthorized modifications.
The operational impact of this vulnerability extends beyond simple data corruption, potentially enabling sophisticated attacks that could compromise the entire semantic data infrastructure of affected MediaWiki installations. When an attacker successfully exploits this vulnerability, they can manipulate the merging process to redirect or alter data relationships, create false semantic connections, or introduce malicious data patterns that persist across the entire knowledge base. This risk is particularly concerning in collaborative environments where multiple users contribute to the semantic database, as the vulnerability could be exploited to subtly alter the meaning of data items or disrupt established data relationships. The absence of an edit filter during item merging operations creates a pathway for attackers to bypass normal security controls that would otherwise prevent such modifications, potentially leading to data integrity compromises that affect the trustworthiness of the entire semantic database.
Organizations utilizing affected versions of MediaWiki should prioritize immediate remediation through patch updates to the Wikibase extension, specifically upgrading to versions 1.35.12, 1.39.5, or 1.40.1 respectively, depending on their current deployment. The recommended mitigation strategy involves implementing additional monitoring and logging mechanisms around merge operations to detect anomalous activities that might indicate exploitation attempts. Security teams should also consider implementing rate limiting and access controls specifically for merge operations, ensuring that only trusted administrators can perform these potentially disruptive actions. The vulnerability demonstrates the critical importance of maintaining comprehensive security controls across all data modification pathways within semantic databases, as the absence of proper filtering mechanisms can create persistent attack vectors that undermine the integrity of structured data systems. Organizations should also review their existing abuse filter configurations to ensure that merge operations are properly covered by these protective measures and consider implementing additional validation checks that verify the legitimacy of merge operations before execution. This vulnerability serves as a reminder of the need for robust security architectures that protect all data modification operations, regardless of their perceived complexity or importance within the system.