CVE-2025-53625 is a high-severity vulnerability affecting the DynamicPageList3 extension developed by Universal-Omega for MediaWiki platforms. DynamicPageList3 is a reporting tool that generates lists of category members and their intersections in various formats, providing detailed data views. The vulnerability arises from improper handling of certain #dpl parameters, which can inadvertently expose usernames that were intended to be hidden. These usernames might have been concealed through revision deletion, suppression, or the use of the hideuser block flag, mechanisms designed to protect user privacy by masking or removing user identifiers from public view. Due to this flaw, unauthorized actors can retrieve private personal information by exploiting these parameters without any authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 8.7, indicating a high impact with network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality. The flaw does not affect integrity or availability. The issue is resolved in DynamicPageList3 version 3.6.4, and versions prior to this are vulnerable. There are no known exploits in the wild as of the publication date. This vulnerability falls under CWE-359, which relates to exposure of private personal information to unauthorized actors, highlighting a privacy breach rather than a direct system compromise or denial of service.

For European organizations using MediaWiki with the DynamicPageList3 extension versions earlier than 3.6.4, this vulnerability poses a significant privacy risk. The exposure of usernames that were deliberately hidden undermines user privacy and may violate data protection regulations such as the EU's General Data Protection Regulation (GDPR). This can lead to reputational damage, legal penalties, and loss of user trust. Since the vulnerability allows unauthenticated remote attackers to access sensitive user information, it could facilitate further targeted attacks such as social engineering or spear phishing campaigns. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach alone is critical, especially for organizations managing sensitive or regulated content. European public sector entities, educational institutions, and collaborative projects relying on MediaWiki for knowledge management are particularly at risk. The lack of known exploits currently provides a window for mitigation before active exploitation occurs.

European organizations should immediately audit their MediaWiki installations to identify if DynamicPageList3 is in use and verify the version. Upgrading to version 3.6.4 or later is the primary and most effective mitigation step. If immediate upgrade is not feasible, organizations should consider disabling or restricting access to the DynamicPageList3 extension or the vulnerable #dpl parameters to trusted users only. Implementing strict access controls and monitoring for unusual query patterns targeting these parameters can help detect exploitation attempts. Additionally, organizations should review their data privacy policies and ensure that user data concealment mechanisms are functioning as intended post-patch. Regularly updating MediaWiki and its extensions, combined with vulnerability scanning focused on privacy leaks, will reduce exposure. Finally, informing users about the potential privacy risk and encouraging vigilance against phishing attempts can mitigate secondary risks.