This vulnerability allows an attacker to inject malicious scripts into edit summary fields, which are rendered on subsequent pages. The flaw is an improper neutralization of input during web page generation and falls under the classic input‑validation weakness. Successful exploitation could let the attacker execute arbitrary client‑side code in the context of victims who view edited pages, undermining confidentiality and potentially enabling session hijacking or phishing.

The flaw affects the Wikimedia Foundation’s MediaWiki GrowthExperiments extension in versions 1.39, 1.43, 1.44 and 1.45. These are used on Wikimedia sites that enable the GrowthExperiments feature, such as the main English Wikipedia and other Wikimedia projects that run the same extension stack.

The CVSS base score is 2.3, and the EPSS score is less than 1 %, indicating the vulnerability is considered low severity and has a low probability of being exploited in the wild. It is currently not listed in CISA’s KEV catalog. The attack vector is inferred to be via a crafted edit summary that an authenticated editor submits; the vulnerability does not require elevated privileges beyond the standard editing or writing permissions. Because the exploit requires user interaction on the page that contains the edit summary, the risk remains limited to users who view such pages.