While reviewing random patches I found a whole bunch of places in MediaWiki-extensions-Cargo where unescaped output from Message::text() is used as if it is HTML: https://codesearch.wmcloud.org/search/?q=(text%7Cplain)%5C(%5CW*%5C.&repos=Extension:Cargo. This allows injecting arbitrary HTML and JavaScript by anyone who manages to manipulate the messages in questions.
As far as I'm aware of this is one of the more relevant, alive extensions. Luckily WikiApiary is online today: https://wikiapiary.com/wiki/Extension:Cargo. It reports the extension being used on 290 websites.
I'm not sure how to classify this so I will start with this being a restricted Security-Team task.