An issue exists in the WatchAnalytics extension in MediaWiki prior to 1.40.2. XSS can occur via the Special:PageStatistics page parameter.
mediawiki mediawiki