CVE-2025-62508 is a stored cross-site scripting vulnerability identified in the Citizen skin for MediaWiki, specifically affecting versions from 3.3.0 up to but not including 3.9.0. The vulnerability stems from the stickyHeader.js script, where the function copyButtonAttributes assigns innerHTML from a source element’s textContent when copying button labels. This flawed implementation causes escaped HTML in system message content—such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk—to be interpreted as executable HTML in the sticky header. Consequently, a user with the editinterface permission, which is typically granted to sysop groups but does not require editsitejs rights, can inject arbitrary JavaScript code. This script executes in the context of other users’ sessions, potentially allowing unauthorized access to sensitive information or the performance of unauthorized actions within the MediaWiki environment. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score is 6.5, reflecting a medium severity with high impact on confidentiality and integrity but no impact on availability. The issue has been addressed and fixed in Citizen skin version 3.9.0. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of information managed via MediaWiki platforms using the Citizen skin. Since the exploit allows arbitrary JavaScript execution in other users’ sessions, attackers could steal session tokens, perform actions on behalf of legitimate users, or manipulate displayed content, potentially leading to data breaches or misinformation. Organizations relying on MediaWiki for internal documentation, collaboration, or knowledge management could face operational disruptions and reputational damage if sensitive data is exposed or altered. The risk is heightened in environments where multiple users have interface editing rights, increasing the attack surface. Although availability is not directly impacted, the breach of trust and data integrity can have cascading effects on compliance with European data protection regulations such as GDPR, especially if personal or sensitive data is involved.

European organizations should immediately upgrade the Citizen MediaWiki skin to version 3.9.0 or later to apply the official fix. Until the patch is applied, restrict the editinterface permission strictly to trusted administrators and review current user roles to ensure minimal assignment. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the MediaWiki environment. Regularly audit interface message content for suspicious or unexpected HTML or script injections. Employ web application firewalls (WAFs) with rules targeting XSS patterns to provide an additional layer of defense. Educate administrators about the risks of granting interface editing rights and enforce strict change management procedures for interface messages. Monitor logs for unusual activities related to interface message edits or unexpected script executions. Consider isolating MediaWiki instances or restricting access to sensitive wikis to reduce exposure.