CVE-2025-53487
Description
The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped.
This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in MediaWiki ApprovedRevs extension allows attackers to inject JavaScript via crafted language override in system messages.
Vulnerability
Overview
The ApprovedRevs extension for MediaWiki is vulnerable to stored cross-site scripting (XSS) due to improper escaping of system messages that are inserted directly into raw HTML. The extension fails to sanitize certain message keys, allowing an attacker to inject arbitrary JavaScript code that is then stored and executed in the context of other users' browsers [1].
Exploitation
An attacker can exploit this vulnerability by using the uselang=x-xss language override parameter. By crafting a malicious message key that contains JavaScript payloads, the attacker can cause the extension to render the unescaped payload when the page is viewed. No special privileges are required beyond the ability to trigger the language override, making the attack surface broad for any user who can influence the uselang parameter [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication tokens. The stored nature of the XSS means the payload persists and affects all users who view the affected pages [1].
Mitigation
The vulnerability has been patched in ApprovedRevs versions 1.39.13, 1.42.7, and 1.43.2. Users running earlier versions within the affected branches (1.39.x before 1.39.13, 1.42.x before 1.42.7, 1.43.x before 1.43.2) should update immediately. No workaround is available; updating to the patched release is the only mitigation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=1.39.0,<1.39.13, >=1.42.0,<1.42.7, >=1.43.0,<1.43.2
- Range: >=1.39.X <1.39.13, >=1.42.X <1.42.7, >=1.43.X <1.43.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.