Reflected XSS Vulnerability in MediaWiki's WikiCategoryTagCloud Extension
CVE-2025-53486

Currently unrated

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Wikicategorytagcloud Extension
Vendor: CVE Published:; 7 July 2025

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2025-53486?

The WikiCategoryTagCloud extension for MediaWiki is susceptible to reflected Cross-Site Scripting (XSS) attacks due to improper handling of the linkstyle attribute. This vulnerability arises from direct insertion of unsanitized user input into HTML, allowing attackers to inject malicious JavaScript through the {{#tag:tagcloud}} parser function. Consequently, this can lead to arbitrary JavaScript execution when users interact with links within the category cloud, posing significant risks for web application integrity and user safety.

Affected Version(s)

Mediawiki - WikiCategoryTagCloud extension 1.39.x < 1.39.13

Mediawiki - WikiCategoryTagCloud extension 1.42.x < 1.42.7

Mediawiki - WikiCategoryTagCloud extension 1.43.x < 1.43.2

References

https://phabricator.wikimedia.org/T394590

https://gerrit.wikimedia.org/r/q/Idd68cf2372aedd916687d30...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jun 30, 2025