I've just swatted a change to production and merged a patch into the current master of TextExtracts which updates the extension to strip any script tags and input tags that may result from parser output.
The problem is theoretical and I'm not aware of any existing vectors for attack but I recommend anyone using the TextExtracts extension in production either update to the current master or update $wgExtractsRemoveClasses global config to include script and input tags.
The issue is tracked in https://phabricator.wikimedia.org/T107206 (currently hidden but I've requested it be made public)