GHSA-7PGW-Q3QP-6PGQ

Vulnerability from github – Published: 2025-07-10 13:10 – Updated: 2025-07-10 23:23
VLAI?
Summary
DynamicPageList3 vulnerability exposes hidden/suppressed usernames
Details

Summary

Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag.

Details

The parameters adduser, addauthor, and addlasteditor output the page creator or last editor using the %USER% placeholder. These display the actual username, even when that name has been hidden using revision deletion, suppression (oversight), or hideuser.

The %CONTRIBUTOR% placeholder, used with addcontribution, behaves similarly and also reveals hidden usernames.

In addition, the following parameters can expose suppressed usernames when combined with %USER% or similar output placeholders: - lastrevisionbefore - allrevisionsbefore - firstrevisionsince - allrevisionssince

These parameters reference specific revisions and allow output of user-related metadata. If a username has been hidden from those revisions, it may still appear in the output.

Further, the parameters createdby, notcreatedby, modifiedby, notmodifiedby, lastmodifiedby, and notlastmodifiedby accept usernames as input. When the correct (suppressed) username is used, the query may return matching pages or edits. This can reveal the presence and association of a hidden identity, even if not displayed directly. However, this is a more indirect exposure than the output parameters mentioned above.

Proof of Concept

  1. Create a page while logged in as a user.
  2. Revision delete or suppress the username from the page history.
  3. Use a DPL query with one of the affected parameters.
  4. The output reveals the hidden username.

Example

The following query reveals the suppressed username Example user:

{{#dpl:
| title = File:Example.png
| addauthor = true
| format = ,%USER%,,
}}

Similar behavior occurs using parameters like lastrevisionbefore with %USER% in the format string.

Impact

This issue causes the exposure of usernames that were intentionally hidden by administrators. It directly undermines revision deletion, user suppression, and block-related privacy measures. In some cases, usernames can be revealed both directly through output and indirectly through query behavior.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "universal-omega/dynamic-page-list3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-10T13:10:20Z",
    "nvd_published_at": "2025-07-10T19:15:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nSeveral `#dpl` parameters can leak usernames that have been hidden using revision deletion, suppression, or the `hideuser` block flag.\n\n### Details\nThe parameters `adduser`, `addauthor`, and `addlasteditor` output the page creator or last editor using the `%USER%` placeholder. These display the actual username, even when that name has been hidden using revision deletion, suppression (oversight), or `hideuser`.\n\nThe `%CONTRIBUTOR%` placeholder, used with `addcontribution`, behaves similarly and also reveals hidden usernames.\n\nIn addition, the following parameters can expose suppressed usernames when combined with `%USER%` or similar output placeholders:\n- `lastrevisionbefore`\n- `allrevisionsbefore`\n- `firstrevisionsince`\n- `allrevisionssince`\n\nThese parameters reference specific revisions and allow output of user-related metadata. If a username has been hidden from those revisions, it may still appear in the output.\n\nFurther, the parameters `createdby`, `notcreatedby`, `modifiedby`, `notmodifiedby`, `lastmodifiedby`, and `notlastmodifiedby` accept usernames as input. When the correct (suppressed) username is used, the query may return matching pages or edits. This can reveal the presence and association of a hidden identity, even if not displayed directly. However, this is a more indirect exposure than the output parameters mentioned above.\n\n### Proof of Concept\n\n1. Create a page while logged in as a user.\n2. Revision delete or suppress the username from the page history.\n3. Use a DPL query with one of the affected parameters.\n4. The output reveals the hidden username.\n\n#### Example\n\nThe following query reveals the suppressed username `Example user`:\n\n```wikitext\n{{#dpl:\n| title = File:Example.png\n| addauthor = true\n| format = ,%USER%,,\n}}\n```\n\nSimilar behavior occurs using parameters like `lastrevisionbefore` with `%USER%` in the `format` string.\n\n### Impact\nThis issue causes the exposure of usernames that were intentionally hidden by administrators. It directly undermines revision deletion, user suppression, and block-related privacy measures. In some cases, usernames can be revealed both directly through output and indirectly through query behavior.",
  "id": "GHSA-7pgw-q3qp-6pgq",
  "modified": "2025-07-10T23:23:34Z",
  "published": "2025-07-10T13:10:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-7pgw-q3qp-6pgq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53625"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Universal-Omega/DynamicPageList3/commit/a3dae0c89fb4214390c29ceffa23bbe2099986d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Universal-Omega/DynamicPageList3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DynamicPageList3 vulnerability exposes hidden/suppressed usernames"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.