CVE-2025-49575: 
PHP vulnerability analysis and mitigation

CVE-2025-49575 is a stored Cross-Site Scripting (XSS) vulnerability discovered in the Citizen MediaWiki skin. The vulnerability was disclosed on June 11, 2025, and affects multiple system messages that are inserted into the CommandPaletteFooter as raw HTML. This security issue impacts wikis where a group has the 'editinterface' permission but lacks the 'editsitejs' user right. The vulnerability has been fixed in version 3.3.1 (GitHub Advisory).

The vulnerability stems from improper handling of system messages in the CommandPaletteFooter component. The affected messages include citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace, and citizen-command-palette-tip-templates. These messages were retrieved using the plain() output mode instead of parse(), allowing raw HTML injection. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory, Wiz).

The vulnerability allows attackers with 'editinterface' permissions to inject arbitrary HTML into the DOM, potentially leading to Cross-Site Scripting attacks. This could result in unauthorized access to sensitive information and potential manipulation of web content for users viewing the affected pages (GitHub Advisory).

The vulnerability has been patched in version 3.3.1 of the Citizen MediaWiki skin. The fix involves changing the message handling from plain() to parse() mode and implementing proper HTML escaping. Users are advised to upgrade to the patched version. The fix is implemented in commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd (Wiz).