RenderBlocking, a MediaWiki extension that manages render‑blocking CSS and JavaScript, contained a stored XSS flaw in its inline assets mode. The vulnerability allowed a user with the editsitecss user right to embed malicious script code into site‑wide CSS files, which would then be stored and executed whenever any page was rendered. The flaw was limited to the inline asset feature enabled by the configuration variable $wgRenderBlockingInlineAssets, but once injected it could compromise all users who load the page. The available CVSS score of 2.0 reflects that the flaw does not enable arbitrary code execution on the server but poses a significant threat to web session integrity.

The affected product is the RenderBlocking extension by lihaohong6, version 0.1.0 and earlier for MediaWiki. The vulnerability is resolved in version 0.1.1, which is the earliest release to include the fix.

With an EPSS score of less than 1% and no current inclusion in the CISA KEV catalog, the likelihood of widespread exploitation is low, yet the impact for organizations that grant editsitecss rights to users remains substantial. Attackers must first possess the editsitecss privilege; once they do, they can inject persistent script payloads that run under the context of every user visiting affected pages. The CVSS score indicates that the main risk is client‑side and it does not compromise server‑side code or data directly, but it can undermine user trust and facilitate further phishing attempts.