Description
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inability to properly audit and attribute various user actions performed via the FileImporter extension.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP FullCalendar Security Bypass (1.4.1)
WordPress Plugin Qards Cross-Site Scripting (1.4.3)
WordPress Server-Side Request Forgery (3.7 - 6.1.1)
WordPress Plugin NextMove Lite-Thank You Page for WooCommerce Cross-Site Request Forgery (2.18.1)
WordPress Plugin IMPress for IDX Broker Cross-Site Scripting (3.0.5)