CVE-2025-59839: 
PHP vulnerability analysis and mitigation

The EmbedVideo Extension, a MediaWiki extension that adds parser functions for embedding video clips from various video sharing services, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-59839) in versions 4.0.0 and prior. The vulnerability was discovered on September 25, 2025, and allows attackers to add arbitrary attributes to HTML elements through wikitext (GitHub Advisory).

The vulnerability stems from the extension's use of unreserved data attributes (data-iframeconfig) that can be set via wikitext. The attributes of an iframe are populated with values from these unreserved data attributes, allowing arbitrary HTML insertion into the DOM. This enables execution of JavaScript through attributes like onload or onmouseenter. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, indicating network attack vector, low complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability allows any user to insert arbitrary HTML into the DOM, enabling JavaScript code execution in the context of other users' browsers. This could lead to theft of sensitive information, session hijacking, and other malicious actions typically associated with XSS attacks (GitHub Advisory).

The vulnerability has been patched via commit 4e075d3, which prevents data attributes starting with data-mw- from being inserted via wikitext. Users should upgrade to versions containing this patch (NVD).