CVE-2025-53488

Vulnerability

The WikiHiero extension for MediaWiki suffers from a stored cross-site scripting (XSS) vulnerability because it concatenates the wikihiero-input and wikihiero-result system messages with raw HTML using mw.msg() and jQuery .html() [1]. The system messages are user-editable (by administrators or users with appropriate rights) and are directly inserted into the DOM without sanitization, as seen in the source code at ext.wikihiero.special.js lines 29-32 [1].

Exploitation

An attacker who can edit system messages (e.g., an administrator or a user with editinterface rights, or via a separate privilege escalation) can inject arbitrary HTML and JavaScript into the affected special page. The vulnerability is triggered when a victim visits Special:Hieroglyphs and submits any input, causing the malicious payload to execute in their browser [1].

Impact

Successful exploitation allows an attacker to execute JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or theft of sensitive information. The attack does not require user interaction beyond visiting the page and submitting the form, making it a stored XSS with medium severity [1].

Mitigation

The vulnerability has been patched in MediaWiki WikiHiero extension versions 1.43.2 and later. Patches were merged into branches REL1_39, REL1_42, REL1_44, and master on June 10, 2025, changing the system message insertion to use .text() instead of raw HTML to prevent XSS [1]. Users should update to the latest patched version immediately.