CVE-2025-62654 identifies a stored Cross-site Scripting (XSS) vulnerability in the MediaWiki QuizGame extension versions 1.39, 1.43, and 1.44. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the QuizGame extension functionality. This flaw allows an attacker with sufficient privileges to inject malicious JavaScript code that is stored persistently and executed in the browsers of users who view the affected pages. The vulnerability is categorized under CWE-79, which relates to improper input sanitization leading to XSS. The CVSS 4.0 vector indicates a network attack vector (AV:N), high attack complexity (AC:H), requiring privileges (PR:H), and user interaction (UI:P). The impact on confidentiality, integrity, and availability is low, reflecting limited potential damage and exploitation difficulty. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability affects multiple versions of the extension, which is commonly used in MediaWiki deployments to provide quiz-based interactive content. The Wikimedia Foundation is the vendor responsible for the product. The vulnerability could be leveraged to execute arbitrary scripts in the context of the affected site, potentially leading to session hijacking, defacement, or other client-side attacks, but only if the attacker has the ability to submit content and convince users to interact with it.

For European organizations using MediaWiki with the QuizGame extension, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Since exploitation requires high privileges to inject malicious content and user interaction to trigger the payload, the immediate risk is limited. However, in environments where multiple users have editing or content submission rights, an attacker could embed malicious scripts that execute when other users access the quiz content. This could lead to session hijacking, unauthorized actions performed on behalf of users, or the spread of malware via the browser. The impact on availability is minimal. Organizations hosting public or internal wikis with active user contributions should be cautious, as the stored XSS could undermine trust and lead to reputational damage. Given the low CVSS score and absence of known exploits, the threat is not urgent but should be addressed to prevent future exploitation.

1. Restrict editing and content submission privileges to trusted users only, minimizing the risk of malicious input injection. 2. Implement additional input validation and output encoding specifically for the QuizGame extension to neutralize potentially harmful scripts. 3. Monitor logs and user activity for unusual submissions or behavior that could indicate attempted exploitation. 4. Disable or uninstall the QuizGame extension temporarily if it is not essential to reduce the attack surface until patches are available. 5. Stay updated with Wikimedia Foundation advisories and apply official patches promptly once released. 6. Educate users about the risks of interacting with untrusted content and encourage cautious behavior when accessing wiki pages with interactive elements. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the wiki. 8. Conduct regular security audits and penetration tests focusing on web application input handling and extensions.