Stored XSS in TitleIcon Extension of MediaWiki
CVE-2025-7363

Currently unrated

What is CVE-2025-7363?

The TitleIcon extension for MediaWiki exposes a stored XSS flaw through the #titleicon_unicode parser function. User-provided input to this function is improperly handled, as it is directly stored in an HtmlArmor object without sanitization. This oversight allows malicious users to inject arbitrary JavaScript code that executes in the context of the user's session, potentially compromising sensitive information or performing actions on behalf of the user.

Affected Version(s)

Mediawiki - TitleIcon extension 1.39.x < 1.39.13

Mediawiki - TitleIcon extension 1.42.x < 1.42.7

Mediawiki - TitleIcon extension 1.43.x < 1.43.2

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-7363 : Stored XSS in TitleIcon Extension of MediaWiki