CVE-2025-7362

The MsUpload extension for MediaWiki is vulnerable to stored cross-site scripting (XSS) through the msu-continue system message. This message is retrieved using mw.msg() in text mode and directly appended to the DOM via jQuery's .append() method without any sanitization [1]. As a result, an attacker can inject arbitrary HTML and JavaScript into the file upload interface.

To exploit the vulnerability, an attacker must have the ability to edit a page on the wiki. The attack requires the wiki to have the WikiEditor and MsUpload extensions enabled, and the parameter uselang=x-xss must be present in the edit URL to access the XSS language variant. Then, the attacker drags a file with the same name as an already-uploaded file into the drop zone. Alternatively, an attacker with the ability to edit the MediaWiki system message MediaWiki:Msu-continue can directly inject malicious script into that message [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who uploads a file with a duplicate name. This can lead to session hijacking, defacement, or theft of sensitive data.

The vulnerability affects MsUpload extension versions from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, and from 1.43.X before 1.43.2. Patches are available in the referenced Phabricator task [1]. Administrators should update the extension to the latest version or restrict editing of system messages to trusted users.