CVE-2025-7362 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the MsUpload extension of the MediaWiki platform maintained by the Wikimedia Foundation. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79). Specifically, the msu-continue system message, which is inserted into the Document Object Model (DOM) without adequate sanitization, can be exploited when a user uploads a file with a filename that has already been uploaded previously. This leads to the injection of malicious scripts that persist on the server and execute in the browsers of users who view the affected pages. The vulnerability affects MediaWiki MsUpload extension versions 1.39.x prior to 1.39.13, 1.42.x prior to 1.42.7, and 1.43.x prior to 1.43.2. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The vulnerability requires an authenticated user to upload files and some user interaction to trigger the malicious script execution. The scope change indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the MediaWiki installation or users accessing the system. This vulnerability is significant because MediaWiki is widely used for collaborative documentation and knowledge bases, including many public and private wikis in Europe. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the wiki environment.

For European organizations using MediaWiki with the MsUpload extension, this vulnerability poses a risk of client-side attacks that can compromise user accounts and sensitive information stored within the wiki. Since MediaWiki is often used for internal knowledge management, documentation, and collaboration, an attacker exploiting this XSS flaw could impersonate legitimate users, manipulate wiki content, or steal confidential data. The requirement for authenticated access limits the attack surface to users with upload privileges, but insider threats or compromised accounts could be leveraged. The scope change means that the impact could extend beyond the immediate MsUpload extension, potentially affecting other integrated systems or services relying on MediaWiki. In regulated industries common in Europe, such as finance, healthcare, and government, such a breach could lead to compliance violations under GDPR and other data protection laws, resulting in legal and reputational damage. Additionally, the persistence of the stored XSS increases the risk of widespread impact as multiple users accessing the affected pages could be compromised.

To mitigate this vulnerability, European organizations should prioritize upgrading the MsUpload extension to the fixed versions: 1.39.13 or later for the 1.39.x branch, 1.42.7 or later for the 1.42.x branch, and 1.43.2 or later for the 1.43.x branch. If immediate patching is not feasible, organizations should implement strict input validation and output encoding on the msu-continue system message to sanitize any user-supplied filenames or messages before insertion into the DOM. Restricting file upload privileges to trusted users and monitoring upload activity for suspicious patterns can reduce risk. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the wiki. Regularly audit MediaWiki extensions and configurations for security best practices. Additionally, educating users about the risks of clicking on unexpected links or interacting with suspicious wiki content can help reduce exploitation likelihood. Logging and monitoring for unusual user behavior or error messages related to file uploads can provide early detection of exploitation attempts.