Description
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Remediation
References
Related Vulnerabilities
WordPress Plugin Comment Highlighter SQL Injection (0.13)
WordPress Plugin WP Prayer Cross-Site Request Forgery (1.5.4)
WordPress Plugin Login With Ajax Cross-Site Scripting (3.1.6)
WordPress Plugin WP Photo Album Plus Unspecified Vulnerability (7.2.04)
WordPress Plugin Elementor Website Builder Arbitrary File Upload (2.7.4)