CVE-2025-53486 in WikiCategoryTagCloud Extension
Summary
by MITRE • 07/07/2025
The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud.
The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.
This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/07/2025
The vulnerability identified as CVE-2025-53486 resides within the WikiCategoryTagCloud extension for MediaWiki, presenting a reflected cross-site scripting risk that stems from improper handling of user-supplied CSS style attributes. This flaw specifically manifests when the linkstyle parameter is processed through the {{#tag:tagcloud}} parser function, creating an avenue for malicious actors to inject JavaScript event handlers such as onmouseenter. The vulnerability operates at the intersection of web application security and HTML rendering, where the extension fails to properly sanitize or escape CSS attributes before incorporating them into inline HTML elements. The affected versions span across multiple MediaWiki release lines including 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2, indicating a widespread impact across the extension's supported versions.
The technical implementation of this vulnerability demonstrates a critical failure in input validation and output encoding practices within the MediaWiki codebase. The linkstyle parameter undergoes sanitization through Sanitizer::checkCss() which, while designed to validate CSS properties, does not perform HTML escaping operations necessary for safe insertion into HTML attributes. This function call is insufficient for preventing XSS attacks because it focuses solely on CSS validation rather than HTML context sanitization. Subsequently, the improperly sanitized parameter is directly concatenated into HTML style attributes using string concatenation methods instead of proper HTML element construction functions such as Html::element or Html::openElement. This approach bypasses MediaWiki's established security mechanisms for HTML output generation and creates a direct injection point for malicious JavaScript code execution.
The operational impact of this vulnerability extends beyond simple script execution to encompass a range of potential security consequences that could compromise user sessions and system integrity. When a victim navigates to a page containing the vulnerable category cloud display and hovers over any link, the injected JavaScript code executes within their browser context, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The reflected nature of this XSS vulnerability means that attackers need not persistently store malicious payloads, as the injection occurs dynamically based on user interaction with specific hover events. This characteristic makes the vulnerability particularly dangerous in environments where users frequently interact with wiki content, as it can be triggered through normal browsing activities without requiring complex attack vectors or persistent exploitation techniques.
Mitigation strategies for CVE-2025-53486 should prioritize immediate patch application to affected MediaWiki installations, with administrators upgrading to versions that include proper HTML escaping for CSS attributes. The recommended approach involves implementing proper HTML element construction methods that automatically escape attributes and content, ensuring that CSS parameters are sanitized using appropriate context-aware sanitization functions. Security teams should also consider implementing content security policies that limit script execution capabilities and monitor for unusual patterns in user interactions with category cloud displays. This vulnerability aligns with CWE-79 (Cross-site Scripting) and maps to ATT&CK technique T1203 (Exploitation for Client Execution) within the adversary tactics and techniques framework, emphasizing the importance of input validation and output encoding as primary defensive measures against such attacks. Organizations should conduct comprehensive security assessments of their MediaWiki installations to identify and remediate similar vulnerabilities in other extensions that may employ similar patterns of insecure HTML construction.