CVE-2025-7362

CVE-2025-7362: MsUpload: Stored Cross-Site Scripting (XSS) via unsanitized msu-continue system message

Vendor Wikimedia Foundation
Product Mediawiki - MsUpload extension
Weakness CWE-79 · XSS
Published July 8, 2025
Last update July 10, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice. This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Key dates

02Disclosure timeline

July 8, 2025 CVE published
July 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46227 WordPress Custom Related Posts plugin <= 1.7.4 - Cross Site Scripting (XSS) Vulnerability CVE-2025-62967 WordPress DirectoryPress plugin <= 3.6.25 - Cross Site Scripting (XSS) vulnerability CVE-2026-29176 Craft Commerce has Stored XSS in Inventory Location Name CVE-2023-5668 WhatsApp Share Button <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-47326 WordPress Share This Image plugin <= 2.01 - Reflected Cross Site Scripting (XSS) vulnerability