The RenderBlocking extension for MediaWiki, developed by lihaohong6, enables interface administrators to specify render-blocking CSS and JavaScript to control page rendering behavior. Versions prior to 0.1.1 contain a stored cross-site scripting (XSS) vulnerability (CWE-79) in the renderblocking-css feature when operating in Inline Assets mode ($wgRenderBlockingInlineAssets = true). This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the MediaWiki environment. Exploitation requires the attacker to have editsitecss user rights, which are typically granted to trusted administrators who can edit site-wide CSS. When a victim views a page with the injected malicious script, the script executes in their browser context, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 4.0 base score of 2.0, reflecting low severity due to the high privilege and user interaction requirements, and limited impact on confidentiality and integrity. No known exploits are currently reported in the wild. The issue was publicly disclosed on March 10, 2026, and fixed in RenderBlocking version 0.1.1. Users of affected versions should upgrade to eliminate the risk.

While the vulnerability requires high privileges (editsitecss rights) and user interaction, it still poses a risk to organizations using MediaWiki with the RenderBlocking extension configured to use inline assets. An attacker with these privileges could inject persistent malicious scripts that execute in the browsers of other users, potentially leading to session theft, unauthorized actions, or defacement. The impact is somewhat limited by the requirement for high privileges and specific configuration, but in environments where multiple administrators or trusted users have these rights, the risk of insider threats or compromised accounts increases. Additionally, if exploited, it could undermine user trust and the integrity of the MediaWiki platform. The vulnerability does not affect availability or cause denial of service. Given the niche nature of the extension and configuration, the overall global impact is limited but relevant for organizations relying on this setup.

The primary mitigation is to upgrade the RenderBlocking extension to version 0.1.1 or later, where the vulnerability is fixed. Administrators should audit user privileges to ensure that only trusted users have editsitecss rights, minimizing the risk of malicious input. Additionally, implement strict content security policies (CSP) to restrict script execution sources, which can reduce the impact of XSS attacks. Regularly review and sanitize all inputs related to CSS and JavaScript editing interfaces. Employ monitoring and alerting for unusual administrative activities or unexpected content changes. Finally, educate administrators about the risks of injecting untrusted content and enforce multi-factor authentication (MFA) to protect privileged accounts.