Incorrect Access Control in ReplaceText Extension for MediaWiki Allows Blocked Users to Run Replace Jobs

CVE-2021-41801 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)

Learn more about our User Device Pen Test.