Stored XSS in TitleIcon Extension of MediaWiki
CVE-2025-7363

Currently unrated

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Titleicon Extension
Vendor: CVE Published:; 8 July 2025

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2025-7363?

The TitleIcon extension for MediaWiki exposes a stored XSS flaw through the #titleicon_unicode parser function. User-provided input to this function is improperly handled, as it is directly stored in an HtmlArmor object without sanitization. This oversight allows malicious users to inject arbitrary JavaScript code that executes in the context of the user's session, potentially compromising sensitive information or performing actions on behalf of the user.

Affected Version(s)

Mediawiki - TitleIcon extension 1.39.x < 1.39.13

Mediawiki - TitleIcon extension 1.42.x < 1.42.7

Mediawiki - TitleIcon extension 1.43.x < 1.43.2

References

https://phabricator.wikimedia.org/T394721

https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f0...

https://gerrit.wikimedia.org/r/q/I2e8c73445172679634f6ec6...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 8, 2025