CVE-2025-10354

Vulnerability

Overview CVE-2025-10354 is a reflected Cross-Site Scripting (XSS) vulnerability in the Semantic MediaWiki extension for MediaWiki. The flaw exists in the /index.php/Speciaal:GefacetteerdZoeken endpoint, where user-supplied input is not properly sanitized before being reflected in the page output. This allows an attacker to inject arbitrary JavaScript code into the response [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload in the endpoint parameter. When a victim clicks on the link (e.g., via phishing or social engineering), the injected script executes in the context of the victim's browser session. No authentication is required to trigger the vulnerability, but user interaction is necessary [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal sensitive information such as session cookies, perform actions on behalf of the authenticated user, or deface the wiki page. The CVSS v4.0 base score is 5.1 (Medium), reflecting the need for user interaction and the limited scope of impact [1].

Mitigation

The Semantic MediaWiki team has addressed this vulnerability in version 5.0.2. Users running versions prior to 5.0.2 are advised to upgrade immediately. No workarounds have been provided, and the vulnerability is not known to be exploited in the wild [1].