Wikimedia Foundation MediaWiki GrowthExperiments Extension Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the GrowthExperiments extension of MediaWiki, affecting versions prior to 1.39. This issue arises from the improper handling of user-generated content, which is inserted into the DOM as HTML without proper sanitization. As a result, malicious scripts can be embedded in article extracts and executed when the content is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, first ensure that the GrowthExperiments extension is installed and configured to pull data from the English Wikipedia. After setting up the extension, create a new article titled 'Div_and_span' that includes unescaped HTML content, such as 'div' and 'span' tags. Once the article is published, the GrowthExperiments extension will retrieve the extract from the Wikipedia REST API, which does not sanitize HTML properly. When this extract is displayed in the edit suggestion cards on the Special:Homepage, the browser will interpret the HTML tags, executing any scripts included in the payload.

Remediation

The vulnerability has been addressed by updating the GrowthExperiments extension to version 1.39 or later, ensuring that article extracts are inserted as plain text rather than HTML. Users can download the latest version of the extension from the Wikimedia Gerrit repository.