Proper handling of user input is essential for safe web page rendering. The CampaignEvents extension fails to neutralize characters used in localized wiki names, allowing injected code to appear in the output HTML. When a victim’s browser renders the impacted page, the injected code is executed in that user’s context. The nature of the vulnerability permits the execution of arbitrary scripts in the browser running the affected page.

The bug resides in the CampaignEvents extension of the MediaWiki platform maintained by the Wikimedia Foundation. No individual versions are cited, but the fix was applied only on the master branch; therefore, all releases built from older baselines remain affected until the updated code is deployed.

The CVSS base score of 6.9 signals a moderate severity level. An EPSS score of less than 1 % indicates a low probability of exploitation in the wild, and the defect is not yet listed in the CISA KEV catalog. The likely attack path involves an attacker supplying a malicious string in a wiki name field that is subsequently incorporated into a web page for other users. Existence of this vector requires that the manipulated field be accessible to non‑trusted users, which raises the risk profile for sites that allow open editing of wiki names but mitigates it for tightly controlled deployments.