CVE-2025-53486: Reflected XSS Vulnerability in WikiCategoryTagCloud Extension

The WikiCategoryTagCloud extension for MediaWiki is susceptible to a reflected Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious JavaScript code into the application, potentially compromising user accounts and data.

Vulnerability Details

CVE ID: CVE-2025-53486
Description: The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute. This attribute is improperly concatenated into inline HTML without proper escaping. An attacker can inject JavaScript event handlers, such as onmouseenter, using crafted input via the {{#tag:tagcloud}} parser function. This results in arbitrary JavaScript execution when a user hovers over a link in the category cloud.
CVSS Score and Vector:
- CVSS 3.1 Score: 5.4 (Medium)
- CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Explanation: This means an attacker can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), requiring a low privileged account (PR:L) and user interaction (UI:R). Successful exploitation can lead to limited compromise of confidentiality (C:L) and integrity (I:L), with no impact on availability (A:N). The scope (S:C) is changed, meaning the attacker could execute code in the context of another user.
Exploit Requirements: An attacker needs to inject malicious code via the linkstyle attribute. User interaction (hovering over a link) is required for the exploit to trigger.
Affected Vendor, Product, Version: Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting') - This means the application does not properly sanitize user-supplied input before displaying it on a web page, allowing an attacker to inject malicious scripts.

Timeline of Events

2025-07-07: Vulnerability publicly disclosed (CVE assigned).
2025-07-07: Patches released for affected versions.

Exploitability & Real-World Risk

This vulnerability poses a moderate risk in real-world scenarios. An attacker could craft a malicious link and distribute it to users. If a user clicks and hovers over the link, the injected JavaScript code will execute. This could lead to session hijacking, defacement of the wiki, or the execution of other malicious actions in the context of the user's session. Given the potential for widespread use of MediaWiki and its extensions, this vulnerability could affect a significant number of users.

Recommendations

Upgrade: Upgrade the WikiCategoryTagCloud extension to the latest version (1.39.13, 1.42.7, 1.43.2 or later).
Input Sanitization: Implement proper input sanitization and output encoding to prevent XSS attacks. Ensure all user-provided data is properly escaped before being rendered in HTML.
Web Application Firewall (WAF): Consider implementing a WAF to detect and block XSS attacks.

Technical Insight

The vulnerability stems from the fact that the linkstyle parameter, passed through the {{#tag:tagcloud}} parser function, is only checked by Sanitizer::checkCss(), which does not escape HTML. This allows an attacker to inject JavaScript event handlers directly into the style attribute, leading to arbitrary code execution. The proper solution is to use Html::element or Html::openElement for creating HTML elements, which provides automatic escaping and prevents XSS.

Credit to Researcher(s)

The vulnerability was reported by the Wikimedia Security Team.

CVE-2025-53486: Reflected XSS Vulnerability in WikiCategoryTagCloud Extension

CVE-2025-53486: Reflected XSS Vulnerability in WikiCategoryTagCloud Extension

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form