CVE-2025-53486

The WikiCategoryTagCloud extension for MediaWiki is vulnerable to reflected cross-site scripting (XSS) through the linkstyle parameter of the {{#tag:tagcloud}} parser function. The vulnerability arises because the linkstyle value is only passed through Sanitizer::checkCss(), which checks for dangerous CSS functions like url() but does not escape HTML entities. The value is then concatenated directly into an inline style attribute using string concatenation, rather than being safely inserted via Html::element or Html::openElement. This allows an attacker to break out of the attribute and inject arbitrary HTML attributes, such as JavaScript event handlers [1].

To exploit this vulnerability, an attacker crafts a wiki page or uses Special:ExpandTemplates with a {{#tag:tagcloud}} call containing a malicious linkstyle value, for example: linkstyle=""onmouseenter="alert('XSS')"". When a victim hovers over any link in the generated category cloud, the injected onmouseenter event handler executes arbitrary JavaScript in the context of the victim's session. The attack requires no special privileges; any user who can view the page can be targeted. The {{#tag:}} parser function allows quotes to be inserted into parameters, bypassing typical restrictions that apply when using extension tags via attributes [1].

The impact is reflected XSS, enabling an attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying page content, or performing administrative actions if the victim has elevated rights. The vulnerability affects WikiCategoryTagCloud versions 1.39.x before 1.39.13, 1.42.x before 1.42.7, and 1.43.x before 1.43.2. Patched versions are available; users should update to the latest release. No workaround is documented, but disabling the extension or restricting its use to trusted editors may reduce risk [1].