CVE-2025-53370: 
PHP vulnerability analysis and mitigation

Citizen, a MediaWiki skin that makes extensions part of the cohesive experience, was found to contain a stored Cross-Site Scripting (XSS) vulnerability affecting versions 1.9.4 to before 3.4.0. The vulnerability was discovered on July 3, 2025, and allows any user to insert arbitrary HTML into the DOM by editing a page through short descriptions set via the ShortDescription extension (GitHub Advisory).

The vulnerability occurs when short descriptions from the ShortDescription extension are inserted as raw HTML by the Citizen skin without proper sanitization. The issue stems from the shortdesc property containing unsanitized user input being retrieved from the OutputPage and returned as the tagline. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, indicating it can be exploited remotely with no privileges required (GitHub Advisory).

The vulnerability allows attackers to inject arbitrary HTML into the DOM, enabling JavaScript execution in the context of other users' browsers. This could lead to unauthorized access to sensitive information, potential session hijacking, and other client-side attacks (GitHub Advisory).

The vulnerability has been patched in version 3.4.0 of the Citizen skin. The fix involves properly sanitizing the short description input using htmlspecialchars() with ENT_QUOTES flag. Users are strongly advised to upgrade to version 3.4.0 or later (GitHub Release).