MediaWiki ApprovedRevs Extension Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the ApprovedRevs extension for MediaWiki. This issue arises in several locations where system messages are inserted into raw HTML without adequate escaping. Attackers can exploit this vulnerability by injecting JavaScript payloads through the uselang=x-xss language override, which triggers the rendering of crafted message keys without proper sanitization. The vulnerability affects MediaWiki ApprovedRevs extension versions 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Added: Jul 7, 2025, 4:22 PM

Updated: Jul 7, 2025, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.7

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.7

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MediaWiki ApprovedRevs Extension Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating