The vulnerability is a stored cross‑site scripting flaw in the MediaWiki Score extension, caused by the use of non‑reserved data attributes that are not properly escaped when generating web pages. Because the input is stored and later rendered without neutralization, an attacker who can insert arbitrary data into a Score entry can cause the victim’s browser to execute malicious JavaScript, potentially enabling theft of session cookies, defacement of the page, or other client‑side compromise of confidentiality and integrity for any user who views the affected content.

The flaw affects the Wikimedia Foundation’s MediaWiki Score extension across the MediaWiki 1.43, 1.44, and 1.45 release branches. Any installation that uses the Score extension and has not applied the fix from the master branch is vulnerable. The issue was addressed in the current master and the official release branches for the mentioned MediaWiki versions.

The CVSS score of 6.9 places it in the high severity range, but the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation activity. Attackers would typically need to supply data via the Score extension’s input interface, which, if exposed to untrusted users, provides a remote attack vector that can be leveraged from any connected client. While the impact is contained to the victim’s browser, the widespread nature of MediaWiki installations means the potential attack surface is large.