Markus-Rost

**Name of the Vulnerable Software and Affected Versions:** DynamicPageList3 extension versions prior to 3.6.4 **Description:** The DynamicPageList3 extension for MediaWiki contains an issue where certain parameters can reveal usernames that have been hidden through revision deletion, suppression, or the `hideuser` block flag. Specifically, the parameters `adduser`, `addauthor`, `addlasteditor`, and `addcontribution` output usernames using placeholders like `%USER%` and `%CONTRIBUTOR%`, even when those usernames have been hidden. Additionally, parameters like `lastrevisionbefore`, `allrevisionsbefore`, `firstrevisionsince`, and `allrevisionssince` can expose suppressed usernames when used with user-related output placeholders. Parameters such as `createdby`, `notcreatedby`, `modifiedby`, `notmodifiedby`, `lastmodifiedby`, and `notlastmodifiedby` can indirectly reveal hidden usernames when used in queries. **Recommendations:** DynamicPageList3 extension versions prior to 3.6.4 should be updated to version 3.6.4 or later.