Universal-Omega DynamicPageList3
Moderate fix1 remedy
cpe:2.3:a:dynamicpagelist3_project:dynamicpagelist3:*:*:*:*:mediawiki:*:*
Moderate fix1 remedy
- < 3.6.3
DynamicPageList3 Usernames Exposure Vulnerability
Vulnerability
Patched
A vulnerability in the DynamicPageList3 extension for MediaWiki allows for the leakage of usernames that have been hidden through revision deletion, suppression, or the hideuser block flag. This issue arises because several #dpl parameters can inadvertently reveal these concealed identities. The vulnerability is present in versions prior to 3.6.3 and has been patched in version 3.6.4.
Impact
Exploitation of this vulnerability leads to the unauthorized disclosure of usernames that were intentionally hidden, thereby violating privacy measures established by administrators.
Reproduction
To reproduce this vulnerability, first, create a page as a user and then use revision deletion or suppression to hide the username from the page history. Afterward, employ a DPL query with one of the affected parameters, such as 'addauthor' or 'lastrevisionbefore', combined with a placeholder that outputs the username. The query result will reveal the previously hidden username.
Remediation
Users can update to DynamicPageList3 version 3.6.4 to address this vulnerability.
Added: Jul 10, 2025, 8:00 PM
Updated: Jul 10, 2025, 8:00 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
9.3remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.