Description
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Remediation
References
Related Vulnerabilities
WordPress Plugin WooCommerce Smart Coupons Security Bypass (4.6.0)
Drupal Core 5.x Cross-Site Scripting (5.0 - 5.17)
WordPress Plugin YOP Poll Cross-Site Scripting (6.0.2)
WordPress Plugin NextGEN Gallery-WordPress Gallery Multiple HTML Injection Vulnerabilities (1.9.0)
Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-10186)