CVE-2025-49577: 
PHP vulnerability analysis and mitigation

CVE-2025-49577 affects the Citizen MediaWiki skin, a component that makes extensions part of a cohesive experience. The vulnerability was discovered and disclosed on June 11, 2025, and involves various preferences messages being inserted into raw HTML, allowing users with message editing privileges to insert arbitrary HTML into the DOM. The issue has been fixed in version 3.3.1 (GitHub Advisory, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It has a CVSS v3.1 score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The technical root cause involves the innerHtml of the label div being set to the textContent of the label, which effectively unsanitizes system messages in the preferences menu heading (Wiz).

The vulnerability allows attackers with message editing privileges to achieve high levels of confidentiality and integrity impact through arbitrary HTML injection into the DOM. However, there is no impact on system availability, and the scope remains unchanged, meaning the vulnerability cannot affect resources beyond its security scope (GitHub Advisory).

The vulnerability has been patched in version 3.3.1 with commit 93c36ac778397e0e7c46cf7adb1e5d848265f1bd. The fix involves proper escaping of menu headings, user registration dates, and various other message handling improvements (GitHub Commit).