CVE-2025-7056

Vulnerability

Analysis

The MediaWiki UrlShortener extension fails to properly neutralize user-controllable input when generating web pages, resulting in a stored cross-site scripting (XSS) vulnerability ([1]). This flaw specifically arises when an attacker can edit a wiki system message page (e.g., MediaWiki namespace) that is used by the extension to display shortened URLs. Because the extension does not sanitize the content, an attacker can inject arbitrary HTML and JavaScript code that will be stored and executed in the context of other users' sessions ([1]).

Attack

Vector and Prerequisites

Exploitation requires an attacker to have the ability to edit system message pages, which in a standard MediaWiki installation is a privilege restricted to trusted users (e.g., administrators or users with the editinterface right). The attack is therefore not remotely exploitable by unauthenticated users; it depends on a previously compromised privileged account or a misconfiguration that grants broad editing rights ([1]). Once the malicious content is saved, any user visiting a page that includes the vulnerable message—such as the ShortUrl listing or redirect page—will execute the injected script in their browser.

Impact

A successful stored XSS attack can lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim user. Since the script runs in the context of the legitimate wiki domain, it can access local storage, cookies, and make requests to the MediaWiki API, enabling account takeover or data exfiltration ([1]).

Mitigation

Status

The vulnerability is fixed in UrlShortener extension versions 1.42.7 and 1.43.2. Administrators are strongly advised to upgrade immediately. The issue was resolved in the Phabricator task and is considered low risk by the Wikimedia Security Team, but the potential for privilege escalation via stored XSS justifies prompt patching ([1]).