As reported via Aidil Arief to security@ on 2021-10-16:
**Description**
There appears to be an XSS via the caption fields for a given media file in Special:UploadWizard. I've tested a couple of variations of the provided payload (`"><img src=x onerror=prompt()>`) which do not seem to execute, but the provided payload definitely does.
**Update:** Actually, I don't think this has to specifically do with the Upload Wizard at all - the caption data just doesn't seem to be properly escaped anywhere the media file is displayed.
**Steps to reproduce**
# Log in to commons.wikimedia.org
# Upload your media file at https://commons.wikimedia.org/wiki/Special:UploadWizard, or work with an existing media file
# Input `"><img src=x onerror=prompt()>` or similar as a value for one or more caption fields for the media file
# Navigating to the media file will produce the javascript prompt