CVE-2025-53502

Vulnerability

Overview

The FeaturedFeeds extension for MediaWiki is vulnerable to Cross-Site Scripting (XSS) due to improper input validation of internationalization (i18n) messages. The issue arises when user-controlled input is used to construct HTML output without adequate sanitization, allowing an attacker to inject arbitrary JavaScript or HTML into the page [1].

Exploitation

Prerequisites

An attacker must be able to influence the i18n message content that the extension processes. This typically requires some level of administrative access or the ability to modify wiki pages that affect message definitions. The attack does not require direct user interaction but relies on the extension rendering the malicious payload when a page is viewed.

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement, phishing, or other malicious actions that compromise the confidentiality and integrity of the wiki environment.

Mitigation

A fix has been implemented and is available via the MediaWiki security update. Administrators should update the FeaturedFeeds extension to the latest patched version for the affected branches (1.39, 1.42, 1.43) [1].