CVE-2025-21612

Name of the Vulnerable Software and Affected Versions TabberNeue versions prior to 2.7.2

Description The issue arises from unescaped user input being used to construct HTML, allowing any user who can edit pages or render wikitext to perform cross-site scripting (XSS) attacks on other users. Specifically, in TabberTransclude.php, the user-supplied page name is not escaped when outputting, enabling an XSS payload to be used as the page name. This vulnerability can be exploited by rendering malicious wikitext, potentially allowing an attacker to trick victims into clicking on links to Special:ExpandTemplates with the malicious wikitext in the wpInput parameter.

Recommendations For versions prior to 2.7.2, update to version 2.7.2 to patch this vulnerability. As a temporary workaround, consider restricting access to the TabberTransclude.php module to minimize the risk of exploitation. Additionally, avoid using unescaped user input in the wpInput parameter until the issue is resolved.