CVE-2025-53497

Vulnerability

Overview

The RelatedArticles extension for MediaWiki fails to properly neutralize user input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability [1]. This flaw affects versions from 1.43.X before 1.43.2, where input is not sanitized before being stored and later rendered on pages.

Exploitation

An attacker with the ability to contribute content (e.g., edit pages or add related articles) can inject arbitrary JavaScript or HTML. The injected payload is stored on the server and executed when other users view the affected page. No special network position is required beyond standard wiki editing privileges.

Impact

Successful exploitation allows the attacker to execute scripts in the context of the victim's session, potentially leading to account takeover, data theft, or defacement. The CVSS v3 score of 5.4 (Medium) reflects the need for some user interaction and the potential for significant confidentiality and integrity impact.

Mitigation

The vulnerability is patched in RelatedArticles extension version 1.43.2. Users should update to this version or later. No workarounds are documented; upgrading is the recommended action.