CVE-2025-53368: 
PHP vulnerability analysis and mitigation

Citizen, a MediaWiki skin that makes extensions part of the cohesive experience, was found to contain a cross-site scripting (XSS) vulnerability. From versions 1.9.4 to before 3.4.0, page descriptions were inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. The vulnerability was discovered and disclosed on July 3, 2025, and affects the MediaWiki Citizen skin installations (GitHub Advisory).

The vulnerability stems from unsanitized page descriptions being inserted as raw HTML in the search results. The issue specifically occurs in the TypeaheadListItem.mustache template file where descriptions from TextExtracts, Description2, Wikibase, and ShortDescription can contain unsanitized user input. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, indicating network attack vector, low complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability allows any user with page editing privileges to insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This could lead to unauthorized access to user data, session hijacking, website defacement, or redirection to malicious sites (NVD).

The vulnerability has been patched in version 3.4.0 of the Citizen skin. Users are strongly advised to update to this version as it contains important security fixes. The fix involves properly sanitizing search result descriptions in the old search module (GitHub Release).