CVE-2025-53487

CVE-2025-53487: ApprovedRevs: Stored Cross-Site Scripting (XSS) via unsanitized system messages

Vendor Wikimedia Foundation
Product Mediawiki - ApprovedRevs extension
Weakness CWE-79 · XSS
Published July 7, 2025
Last update July 7, 2025

CVSS base score

What the vulnerability does

01Description

The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Key dates

02Disclosure timeline

July 7, 2025 CVE published
July 7, 2025 Record updated