CVE-2025-59839: 
PHP vulnerability analysis and mitigation

The EmbedVideo extension for MediaWiki contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-59839. The vulnerability was discovered and disclosed on September 24, 2025, affecting versions 4.0.0 and earlier of the extension. The vulnerability allows attackers to inject arbitrary HTML attributes into the DOM through wikitext, potentially leading to JavaScript code execution (GitHub Advisory).

The vulnerability stems from the extension's improper handling of data attributes, specifically the unreserved 'data-iframeconfig' attribute that can be set via wikitext. The issue occurs in the iframe attribute population process where values from unreserved data attributes are directly used without proper sanitization. This allows attackers to execute JavaScript through attributes like 'onload' or 'onmouseenter'. The vulnerability has been assigned a CVSS v3.1 score of 8.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (GitHub Advisory).

The vulnerability allows attackers to insert arbitrary HTML into the DOM, enabling JavaScript code execution by any user. This can lead to high confidentiality impact and low integrity and availability impacts. The attack requires no special privileges or user interaction, making it particularly dangerous in a wiki environment where multiple users can edit content (GitHub Advisory).

As of the disclosure date, no patched versions are available. The vulnerability was addressed in a commit that changes the data attribute from 'data-iframeconfig' to 'data-mw-iframeconfig' to use MediaWiki's reserved prefix, but this fix has not been released in a new version (GitHub Commit).