CVE-2025-53486: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Wikimedia Foundation Mediawiki - WikiCategoryTagCloud extension
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
AI Analysis
Technical Summary
CVE-2025-53486 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the WikiCategoryTagCloud extension of the Mediawiki platform maintained by the Wikimedia Foundation. The vulnerability arises due to improper neutralization of input during web page generation, specifically within the handling of the 'linkstyle' attribute passed to the {{#tag:tagcloud}} parser function. The 'linkstyle' parameter is processed only by Sanitizer::checkCss(), which validates CSS but does not perform HTML escaping. Subsequently, this parameter is concatenated directly into an inline style attribute in HTML without using secure methods such as Html::element or Html::openElement, which would properly escape or encode the input. This flaw allows an attacker to inject malicious JavaScript event handlers, such as 'onmouseenter', into the style attribute. When a victim hovers over a link in the category cloud, the injected JavaScript executes, enabling arbitrary script execution in the victim's browser context. This reflected XSS can be exploited to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability affects Mediawiki WikiCategoryTagCloud extension versions 1.39.x before 1.39.13, 1.42.x before 1.42.7, and 1.43.x before 1.43.2. No CVSS score has been assigned yet, and there are no known exploits in the wild as of the publication date. The root cause is insecure coding practices in handling user-controllable input within HTML attributes, leading to injection of executable code in the browser.
Potential Impact
For European organizations using Mediawiki with the WikiCategoryTagCloud extension in the affected versions, this vulnerability poses a significant risk to web application security. Exploitation can lead to arbitrary JavaScript execution in users' browsers, compromising confidentiality by stealing session tokens or credentials, integrity by manipulating displayed content, and availability by potentially redirecting users or triggering denial-of-service conditions. Organizations that rely on Mediawiki for internal or public knowledge bases, documentation, or collaboration platforms may face reputational damage, data leakage, or unauthorized access if attackers leverage this XSS flaw. Given that Mediawiki is widely used by public institutions, educational entities, and enterprises across Europe, the vulnerability could be exploited to target sensitive information or disrupt services. The reflected nature of the XSS means that attackers need to trick users into clicking crafted URLs or interacting with malicious content, which is feasible through phishing or social engineering campaigns. The absence of known exploits currently reduces immediate risk but does not preclude future attacks. Additionally, the vulnerability could be chained with other attacks to escalate privileges or move laterally within networks.
Mitigation Recommendations
European organizations should promptly upgrade the WikiCategoryTagCloud extension to the fixed versions: 1.39.13 or later for the 1.39.x branch, 1.42.7 or later for the 1.42.x branch, and 1.43.2 or later for the 1.43.x branch. If immediate patching is not possible, implement strict Content Security Policy (CSP) headers to restrict inline script execution and limit the impact of injected scripts. Review and sanitize all user inputs that interact with the 'linkstyle' parameter or similar attributes, ensuring proper HTML escaping and validation beyond CSS sanitization. Conduct thorough code audits to verify that all dynamic HTML generation uses secure APIs like Html::element or Html::openElement to prevent injection flaws. Educate users about phishing risks to reduce the likelihood of successful social engineering attacks exploiting this reflected XSS. Monitor web server logs and user reports for suspicious activity or unexpected script execution. Employ web application firewalls (WAFs) with rules targeting XSS payloads in URL parameters related to the tagcloud function. Finally, maintain an incident response plan to quickly address any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Finland
CVE-2025-53486: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Wikimedia Foundation Mediawiki - WikiCategoryTagCloud extension
Description
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-53486 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the WikiCategoryTagCloud extension of the Mediawiki platform maintained by the Wikimedia Foundation. The vulnerability arises due to improper neutralization of input during web page generation, specifically within the handling of the 'linkstyle' attribute passed to the {{#tag:tagcloud}} parser function. The 'linkstyle' parameter is processed only by Sanitizer::checkCss(), which validates CSS but does not perform HTML escaping. Subsequently, this parameter is concatenated directly into an inline style attribute in HTML without using secure methods such as Html::element or Html::openElement, which would properly escape or encode the input. This flaw allows an attacker to inject malicious JavaScript event handlers, such as 'onmouseenter', into the style attribute. When a victim hovers over a link in the category cloud, the injected JavaScript executes, enabling arbitrary script execution in the victim's browser context. This reflected XSS can be exploited to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability affects Mediawiki WikiCategoryTagCloud extension versions 1.39.x before 1.39.13, 1.42.x before 1.42.7, and 1.43.x before 1.43.2. No CVSS score has been assigned yet, and there are no known exploits in the wild as of the publication date. The root cause is insecure coding practices in handling user-controllable input within HTML attributes, leading to injection of executable code in the browser.
Potential Impact
For European organizations using Mediawiki with the WikiCategoryTagCloud extension in the affected versions, this vulnerability poses a significant risk to web application security. Exploitation can lead to arbitrary JavaScript execution in users' browsers, compromising confidentiality by stealing session tokens or credentials, integrity by manipulating displayed content, and availability by potentially redirecting users or triggering denial-of-service conditions. Organizations that rely on Mediawiki for internal or public knowledge bases, documentation, or collaboration platforms may face reputational damage, data leakage, or unauthorized access if attackers leverage this XSS flaw. Given that Mediawiki is widely used by public institutions, educational entities, and enterprises across Europe, the vulnerability could be exploited to target sensitive information or disrupt services. The reflected nature of the XSS means that attackers need to trick users into clicking crafted URLs or interacting with malicious content, which is feasible through phishing or social engineering campaigns. The absence of known exploits currently reduces immediate risk but does not preclude future attacks. Additionally, the vulnerability could be chained with other attacks to escalate privileges or move laterally within networks.
Mitigation Recommendations
European organizations should promptly upgrade the WikiCategoryTagCloud extension to the fixed versions: 1.39.13 or later for the 1.39.x branch, 1.42.7 or later for the 1.42.x branch, and 1.43.2 or later for the 1.43.x branch. If immediate patching is not possible, implement strict Content Security Policy (CSP) headers to restrict inline script execution and limit the impact of injected scripts. Review and sanitize all user inputs that interact with the 'linkstyle' parameter or similar attributes, ensuring proper HTML escaping and validation beyond CSS sanitization. Conduct thorough code audits to verify that all dynamic HTML generation uses secure APIs like Html::element or Html::openElement to prevent injection flaws. Educate users about phishing risks to reduce the likelihood of successful social engineering attacks exploiting this reflected XSS. Monitor web server logs and user reports for suspicious activity or unexpected script execution. Employ web application firewalls (WAFs) with rules targeting XSS payloads in URL parameters related to the tagcloud function. Finally, maintain an incident response plan to quickly address any exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- wikimedia-foundation
- Date Reserved
- 2025-06-30T15:20:44.462Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 686be34b6f40f0eb72ea2065
Added to database: 7/7/2025, 3:10:03 PM
Last enriched: 7/7/2025, 3:24:54 PM
Last updated: 8/18/2025, 2:31:22 PM
Views: 19
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.