CVE-2025-53625

HIGH

DynamicPageList3 < 3.6.4 - Exposure of Hidden Usernames via DPL Parameters

Title source: llm

Description

The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The vulnerability is fixed in 3.6.4.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-7pgw-q3qp-6pgq

Patch x_refsource_misc

https://github.com/Universal-Omega/DynamicPageList3/commit/a3dae0c89fb4214390c29ceffa23bbe2099986d6

View Patch ZIP pw:eip

Scores

CVSS v4 8.7

EPSS 0.0045

EPSS Percentile 35.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-359

Status published

Products (2)

universal-omega/dynamic-page-list3 0 - 3.6.4Packagist

Universal-Omega/DynamicPageList3 < 3.6.4

Published Jul 10, 2025

Tracked Since Feb 18, 2026