mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function
Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.