CVE-2025-49578: 
PHP vulnerability analysis and mitigation

CVE-2025-49578 is a stored Cross-Site Scripting (XSS) vulnerability discovered in Citizen, a MediaWiki skin that makes extensions part of the cohesive experience. The vulnerability was discovered in June 2025 and affects versions prior to 3.3.1. The issue stems from various date messages returned by Language::userDate being inserted into raw HTML, which allows users with specific privileges to inject arbitrary HTML into the DOM (GitHub Advisory, Wiz).

The vulnerability occurs in the CitizenComponentUserInfo.php component where the result of $this->lang->userDate($timestamp, $this->user) returns unescaped values that are inserted as raw HTML. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, high privileges required, and no user interaction needed (GitHub Advisory, Wiz).

The vulnerability allows attackers with editinterface privileges to inject arbitrary HTML into the DOM, potentially leading to stored Cross-Site Scripting attacks. This could result in high impact on both confidentiality and integrity of the affected systems, though there is no direct impact on system availability. The vulnerability specifically impacts wikis where a group has the editinterface but not the editsitejs user right (GitHub Advisory).

The vulnerability has been patched in version 3.3.1 of the Citizen MediaWiki skin. The fix involves properly escaping the user registration date output and implementing proper HTML sanitization. Users are strongly advised to upgrade to the patched version (GitHub Advisory).