Using a PHP_CodeSniffer sniff I wrote (see T171520), I was looking for bugs arising from the left associativity of PHP's ternary operator, and I happened across I18nTags::linkTrail(). While I was considering how to fix the bug, it occurred to me that this function is a parser tag hook that includes unescaped user input as part of its HTML output. The same is true for the three other tag hooks (formatnum, grammar, and plural).
This XSS vulnerability can be reproduced on translatewiki.net. You do not need an account. Just go to Special:ExpandTemplates, enter <formatnum><script>alert(1)</script></formatnum>, <grammar><script>alert(1)</script></grammar>, <plural><script>alert(1)</script></plural>, or <linktrail><script>alert(1)</script></linktrail> in the "Input wikitext:" box, and click "OK".