CVE-2025-53486

Name of the Vulnerable Software and Affected Versions: MediaWiki WikiCategoryTagCloud extension versions 1.39.X through 1.39.12 MediaWiki WikiCategoryTagCloud extension versions 1.42.X through 1.42.6 MediaWiki WikiCategoryTagCloud extension versions 1.43.X through 1.43.1

Description: The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers, such as onmouseenter, using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. This issue exists because the linkstyle parameter is only passed through Sanitizer::checkCss() and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement.

Recommendations: For MediaWiki WikiCategoryTagCloud extension versions 1.39.X through 1.39.12, update to version 1.39.13 or later. For MediaWiki WikiCategoryTagCloud extension versions 1.42.X through 1.42.6, update to version 1.42.7 or later. For MediaWiki WikiCategoryTagCloud extension versions 1.43.X through 1.43.1, update to version 1.43.2 or later. As a temporary workaround, consider disabling the linkstyle attribute in the WikiCategoryTagCloud extension until a patch is available.