CVE-2025-67479

Root

Cause Wikimedia's MediaWiki and Cite extensions contain a logic flaw in the legacy parser. When a user inserts a magic word (e.g., __NOTOC__) into the name of a data attribute on an HTML tag in wikitext, the Sanitizer::validateAttributes routine does not properly reject the attribute because double underscores are permitted in data-attribute names at that stage. Later, Parser::handleDoubleUnderscore processes the half-parsed HTML and removes the magic word, transforming data-__NOTOC__ooui into data-ooui — a reserved attribute prefix [1].

Attack

Vector The vulnerability can be triggered by previewing a page containing a crafted wikitext tag. The proof of concept provided in the advisory shows a ` with data-__NOTOC__ooui whose value is a JSON structure containing an OO.ui.ButtonWidget with an inline onerror JavaScript handler. Once the magic word is stripped, the effective attribute data-ooui` allows the MediaWiki interface to interpret the JSON and insert raw HTML into the DOM [1].

Impact

An attacker who can edit or preview pages can achieve stored cross-site scripting (XSS) by injecting arbitrary HTML and JavaScript that executes in the context of other users viewing the affected page. The issue bypasses the existing sanitization guard that was intended to prevent untrusted data attributes beginning with data-mw or data-parsoid, which are reserved for internal storage of HTML content [1].

Mitigation

The problem is fixed in MediaWiki 1.39.14, 1.43.4, and 1.44.1, and in the Cite extension at the same versions. Users should update immediately. No workaround is described; administrators of unpatched wikis can restrict editing privileges as a temporary measure, but the safest mitigation is to apply the security patch [1].