Page MenuHomePhabricator
Create Task
Maniphest T411144

CVE-2026-22713: Stored XSS through edit summaries in GrowthExperiments
Closed, ResolvedPublicSecurity
Actions

Assigned To
SomeRandomDeveloper
Authored By
SomeRandomDeveloper
Nov 26 2025, 9:46 PM
Tags
Referenced Files
F70676157: T411144-2.patch
Nov 26 2025, 9:54 PM
F70676092: T411144.patch
Nov 26 2025, 9:50 PM
F70675861: image.png
Nov 26 2025, 9:46 PM
F70675855: image.png
Nov 26 2025, 9:46 PM
Subscribers
Aklapper
DMburugu
gerritbot
KStoller-WMF
Michael
Mstyles
sbassett
View All 9 Subscribers

Description

The GrowthExperiments extension inserts parsed, user-controlled wikitext into autocomments, allowing for stored XSS to be performed by anybody who can edit.

Reproduction steps

  1. Install GrowthExperiments
  2. Create Template:AutocommentPayload with <pre tabindex="0" data-xss="[[#/autofocus/onfocus=alert(1);//">]]</pre> as the contents
  3. Edit an existing(!) page and set the edit summary to /*growthexperiments-manage-mentors-summary-add-admin-no-reason:{{AutocommentPayload}}*/
  4. Click "Show changes"

image.png (397×972 px, 59 KB)

image.png (210×451 px, 26 KB)

The payload will also be executed in other places that render edit summaries, like ?action=history or Special:RecentChanges.

Cause

The extension sets the autocomment to a parsed message with a user-provided param:
https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#277

Parsed HTML is not safe to use in edit summaries.

The XSS is also exploitable by users with the editinterface permission. There are 15 affected messages:
https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#259
https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/HomepageHooks.php#1249
Another message is inserted as text, allowing for stored XSS as well:
https://gerrit.wikimedia.org/g/mediawiki/extensions/GrowthExperiments/+/289fbf05350e5476bbdaa3262b41e4c3bdf88ab0/includes/Mentorship/Hooks/MentorHooks.php#252

Explanation

The payload is explained in T409737, which is essentially the same issue (but not exploitable by unprivileged users).

Additional information

  • MediaWiki: 1.46.0-alpha
  • GrowthExperiments: e510edc

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape system messages used in edit summariesmediawiki/extensions/GrowthExperimentsREL1_43+3 -3
SECURITY: Escape system messages used in edit summariesmediawiki/extensions/GrowthExperimentsREL1_44+3 -3
SECURITY: Escape system messages used in edit summariesmediawiki/extensions/GrowthExperimentsREL1_45+3 -3
SECURITY: Escape system messages used in edit summariesmediawiki/extensions/GrowthExperimentsmaster+3 -3
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Nov 26 2025, 9:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2025, 9:46 PM
SomeRandomDeveloper added projects: Vuln-XSS, GrowthExperiments.Nov 26 2025, 9:46 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptNov 26 2025, 9:46 PM
SomeRandomDeveloper added a project: Patch-For-Review.Nov 26 2025, 9:50 PM

As far as I can see, the affected messages don't need to be parsed, at least their English versions. I'll check the other ones shortly.

T411144.patch1 KBDownload

SomeRandomDeveloper updated the task description. (Show Details)Nov 26 2025, 9:52 PM

Updated patch which also escapes growthexperiments-mentorship-enrollasmentor-summary:

T411144-2.patch1 KBDownload

SomeRandomDeveloper added a comment.EditedNov 26 2025, 10:12 PM

I've looked through https://codesearch.wmcloud.org/search/?q=growthexperiments-mentorship-enrollasmentor-summary%7Cgrowthexperiments-manage-mentors-summary-%28add-admin-no-reason%7Cadd-admin-with-reason%7Cadd-self-no-reason%7Cadd-self-with-reason%7Cchange-admin-no-reason%7Cchange-admin-with-reason%7Cchange-self-no-reason%7Cchange-self-with-reason%7Cremove-admin-no-reason%7Cremove-admin-with-reason%7Cremove-self-no-reason%7Cremove-self-with-reason%29%7Cgrowthexperiments-addlink-summary-summary%7Cgrowthexperiments-addimage-summary-summary%7Cgrowthexperiments-addsectionimage-summary-summary&files=i18n%2F&excludeFiles=&repos= and I didn't see anything that would need to be parsed, since {{GENDER}} and {{PLURAL}} should also work when using the ->escaped() output mode (but it's also possible that I missed something, since there are so many translations...)

The last question is probably whether there are parameters that are intentionally parsed... The growthmanagementorlist for example takes a user-provided summary parameter, which is then inserted into an autogenerated edit summary, so it's possible that wikitext is used here.

SomeRandomDeveloper mentioned this in T411151: CommentParser::doWikiLinks should be able to operate safely on safe HTML.Nov 26 2025, 11:57 PM
sbassett added subscribers: Urbanecm_WMF, Michael, DMburugu and 2 others.Dec 1 2025, 7:55 PM
In T411144#11411297, @SomeRandomDeveloper wrote:

Updated patch which also escapes growthexperiments-mentorship-enrollasmentor-summary:

T411144-2.patch1 KBDownload

The updated patch LGTM, CR+1. I think we can likely get this deployed during today's (2025-12-01) security deployment window. Tagging a few other folks from Growth just for awareness.

sbassett changed the task status from Open to In Progress.Dec 1 2025, 7:56 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Mstyles subscribed.Dec 1 2025, 10:42 PM
In T411144#11411297, @SomeRandomDeveloper wrote:

Updated patch which also escapes growthexperiments-mentorship-enrollasmentor-summary:

T411144-2.patch1 KBDownload

Deployed

Mstyles moved this task from Security Patch To Deploy to Watching on the Security-Team board.Dec 1 2025, 10:45 PM
Mstyles mentioned this in T404620: Write and send supplementary release announcement for extensions and skins with security patches (1.39.16/1.43.6/1.44.3/1.45.1).Dec 1 2025, 10:49 PM
sbassett removed a project: Patch-For-Review.Dec 2 2025, 3:33 PM
sbassett assigned this task to SomeRandomDeveloper.Dec 8 2025, 4:53 PM
Mstyles added a subscriber: gerritbot.Jan 7 2026, 10:45 PM
gerritbot added a comment.Jan 7 2026, 10:47 PM

Change #1224211 had a related patch set uploaded (by Mstyles; author: SomeRandomDeveloper):

[mediawiki/extensions/GrowthExperiments@REL1_45] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224211

gerritbot added a project: Patch-For-Review.Jan 7 2026, 10:47 PM

Change #1224212 had a related patch set uploaded (by Mstyles; author: SomeRandomDeveloper):

[mediawiki/extensions/GrowthExperiments@REL1_44] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224212

gerritbot added a comment.Jan 7 2026, 10:47 PM

Change #1224213 had a related patch set uploaded (by Mstyles; author: SomeRandomDeveloper):

[mediawiki/extensions/GrowthExperiments@REL1_43] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224213

Urbanecm_WMF edited projects, added Growth-Team (FY2025-26 Q2 Sprint 6); removed Growth-Team.Jan 8 2026, 1:25 PM
Urbanecm_WMF moved this task from Incoming to QA on the Growth-Team (FY2025-26 Q2 Sprint 6) board.
Urbanecm_WMF added a comment.Jan 8 2026, 1:34 PM

@Mstyles For your awareness, there seems to be a CI problem with the release backports:

14:26:26 InvalidArgumentException from line 806 of /workspace/src/includes/registration/ExtensionProcessor.php: It was attempted to load MetricsPlatform twice, from /workspace/src/extensions/MetricsPlatform/extension.json and /workspace/src/extensions/TestKitchen/extension.json.
14:26:26 #0 /workspace/src/includes/registration/ExtensionProcessor.php(278): MediaWiki\Registration\ExtensionProcessor->extractCredits()
14:26:26 #1 /workspace/src/includes/registration/ExtensionProcessor.php(251): MediaWiki\Registration\ExtensionProcessor->extractInfo()
14:26:26 #2 /workspace/src/includes/installer/Installer.php(1651): MediaWiki\Registration\ExtensionProcessor->extractInfoFromFile()
14:26:26 #3 /workspace/src/includes/installer/Installer.php(1549): MediaWiki\Installer\Installer->getAutoExtensionData()
14:26:26 #4 [internal function]: MediaWiki\Installer\Installer->includeExtensions()
14:26:26 #5 /workspace/src/includes/installer/Installer.php(1767): call_user_func()
14:26:26 #6 /workspace/src/includes/installer/CliInstaller.php(221): MediaWiki\Installer\Installer->performInstallation()
14:26:26 #7 /workspace/src/maintenance/install.php(214): MediaWiki\Installer\CliInstaller->execute()
14:26:26 #8 /workspace/src/maintenance/includes/MaintenanceRunner.php(703): CommandLineInstaller->execute()
14:26:26 #9 /workspace/src/maintenance/doMaintenance.php(100): MediaWiki\Maintenance\MaintenanceRunner->run()
14:26:26 #10 /workspace/src/maintenance/install.php(285): require_once('...')
14:26:26 #11 {main}
gerritbot added a comment.Jan 8 2026, 2:05 PM

Change #1224210 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224210

Mstyles added a comment.Jan 8 2026, 6:01 PM

@Urbanecm_WMF I'm not sure what's causing the failures. I'll take a look.

gerritbot added a comment.Jan 8 2026, 9:53 PM

Change #1224211 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_45] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224211

gerritbot added a comment.Jan 8 2026, 10:12 PM

Change #1224212 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_44] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224212

gerritbot added a comment.Jan 8 2026, 10:20 PM

Change #1224213 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@REL1_43] SECURITY: Escape system messages used in edit summaries

https://gerrit.wikimedia.org/r/1224213

SomeRandomDeveloper added a comment.Jan 8 2026, 11:56 PM

This still needs a CVE; after that, if can probably be marked as resolved.

Mstyles renamed this task from Stored XSS through edit summaries in GrowthExperiments to CVE-2026-22713: Stored XSS through edit summaries in GrowthExperiments.Jan 9 2026, 12:01 AM
Mstyles closed this task as Resolved.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits