Cross-Site Scripting Vulnerability in Wikimedia Foundation's Mediawiki UploadWizard Extension
CVE-2025-62663

6.9MEDIUM

Key Information:

Vendor: The Wikimedia Foundation
Status: Mediawiki - Uploadwizard Extension
Vendor: CVE Published:; 18 October 2025

🔔 Create The Wikimedia Foundation Vulnerability Alert

What is CVE-2025-62663?

The UploadWizard Extension of Mediawiki experienced a vulnerability that allows Stored Cross-Site Scripting (XSS). This flaw arises from improper neutralization of input during web page generation, potentially allowing attackers to inject malicious scripts that could execute in the context of users’ browsers. As a result, sensitive user interactions could be exploited, leading to unauthorized access or data manipulation. Users are advised to update to the latest version to mitigate this risk.

Affected Version(s)

Mediawiki - UploadWizard Extension master < 1.39

References

https://phabricator.wikimedia.org/T402095

https://gerrit.wikimedia.org/r/q/I37ea7c8825e9de776e207b3...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 18, 2025

Credit

SomeRandomDeveloper

JSON