Medium severity5.4NVD Advisory· Published Jul 8, 2025· Updated Apr 15, 2026

CVE-2025-7363

Description

The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript.

This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-7363 is a stored XSS in MediaWiki's TitleIcon extension where the #titleicon_unicode function lacks input sanitization, allowing arbitrary JavaScript injection.

Vulnerability

The TitleIcon extension for MediaWiki is vulnerable to stored cross-site scripting (XSS) through the #titleicon_unicode parser function. User-supplied input is directly wrapped in an HtmlArmor object without any sanitization or validation, then rendered in the page header. This means any wikitext using this function can inject arbitrary HTML and JavaScript.

Exploitation

An attacker can exploit this by inserting a malicious payload, such as ``, into a wiki page via the parser function. The payload executes when a victim visits the page. The vulnerability also likely affects search results, as noted in the Phabricator report [1]. No special privileges are required beyond the ability to edit pages, making it accessible to any user with edit rights.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, credential exfiltration, defacement, or further actions within the wiki environment.

Mitigation

The issue is fixed in TitleIcon versions 6.2.1 (for older branches) and 6.3.0 (for newer branches), corresponding to MediaWiki 1.39.13, 1.42.7, and 1.43.2. Users should update their extension to the patched version. No workaround is available without updating.

References

T394721 CVE-2025-7363: XSS in TitleIcon

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

MediaWiki/TitleIconllm-create
Range: >=1.39.0,<1.39.13; >=1.42.0,<1.42.7; >=1.43.0,<1.43.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000