Stored XSS in TitleIcon Extension of MediaWiki
CVE-2025-7363

5.4MEDIUM

Key Information:

Vendor: Wikimedia Foundation
Status: Mediawiki - Titleicon Extension
Vendor: CVE Published:; 8 July 2025

🔔 Create Wikimedia Foundation Vulnerability Alert

What is CVE-2025-7363?

The TitleIcon extension for MediaWiki exposes a stored XSS flaw through the #titleicon_unicode parser function. User-provided input to this function is improperly handled, as it is directly stored in an HtmlArmor object without sanitization. This oversight allows malicious users to inject arbitrary JavaScript code that executes in the context of the user's session, potentially compromising sensitive information or performing actions on behalf of the user.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Mediawiki - TitleIcon extension 1.39.x < 1.39.13

Mediawiki - TitleIcon extension 1.42.x < 1.42.7

Mediawiki - TitleIcon extension 1.43.x < 1.43.2

References

https://phabricator.wikimedia.org/T394721

https://gerrit.wikimedia.org/r/q/I107ab638fecbf52b5bec3f0...

https://gerrit.wikimedia.org/r/q/I2e8c73445172679634f6ec6...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 8, 2025

JSON

Wikimedia Foundation