WikiCategoryTagCloud extension allows certain parameters to be specified inside the tagcloud tags, like this (example copypasted from the extension info page@MW.org):
<tagcloud>exclude=television,television_series,celebrities,food,yoga</tagcloud>
As reported by [[https://www.mediawiki.org/wiki/Extension_talk:WikiCategoryTagCloud#Vulnerable_to_SQL_Injection.3F|an anonymous MediaWiki.org user on 19 August 2015]], the variable isn't sanitized properly ([[https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FWikiCategoryTagCloud/f1e5763f9cd787d48f25b7090b958e07d01285b7/WikiCategoryTagCloud.php#L95|line 95 of WikiCategoryTagCloud.php]]), which could allow SQL injection, since the extension uses raw SQL (which is sorta due to the fact that the extension does a WHERE ... NOT IN query, which AFAIK isn't supported by MediaWiki's database abstraction layer).
Fix is to use Database's handy `makeList()` here on the array variable (`$excluded_categories`).