CVE-2025-53625

Name of the Vulnerable Software and Affected Versions: DynamicPageList3 extension versions prior to 3.6.4

Description: The DynamicPageList3 extension for MediaWiki contains an issue where certain parameters can reveal usernames that have been hidden through revision deletion, suppression, or the hideuser block flag. Specifically, the parameters adduser, addauthor, addlasteditor, and addcontribution output usernames using placeholders like %USER% and %CONTRIBUTOR%, even when those usernames have been hidden. Additionally, parameters like lastrevisionbefore, allrevisionsbefore, firstrevisionsince, and allrevisionssince can expose suppressed usernames when used with user-related output placeholders. Parameters such as createdby, notcreatedby, modifiedby, notmodifiedby, lastmodifiedby, and notlastmodifiedby can indirectly reveal hidden usernames when used in queries.

Recommendations: DynamicPageList3 extension versions prior to 3.6.4 should be updated to version 3.6.4 or later.