A vulnerability in the WikiLove extension of MediaWiki allows an attacker to inject malicious script that is stored and later displayed to users. The improper neutralization of alternate XSS syntax means that crafted input can persist and be executed in the context of a victim’s browser, potentially enabling session hijacking, defacement, or phishing. This weakness corresponds to CWE‑87 and supports a cross‑site scripting attack with a high exploit potential.

The flaw affects installations of the Wikimedia Foundation's MediaWiki that use the WikiLove extension before version 1.43 or before the patch was applied to the master branch. The issue has been fixed in the release branches for MediaWiki 1.43, 1.44, and 1.45, so systems running these or later versions are no longer vulnerable.

The CVSS v3.1 score of 6.9 indicates a medium severity. The EPSS score of less than 1% suggests a low probability of seeing an exploit in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw is a stored XSS, an attacker only needs to be able to add a system message or otherwise contribute content to the extension; no additional prerequisites are noted. The lack of a public exploit does not negate the risk: any authenticated or even publicly available message could be used, so the vulnerability can be leveraged remotely by users with write access to WikiLove messages.