Example:
- Enable IP info and view some IP info
- Create an external webpage with <iframe src="https://test.wikipedia.org/w/rest.php/ipinfo/v0/revision/60421?dataContext=infobox&language=en"></iframe>
- View this external webpage
- This will show IP info which is (assumed) logged.
Another example:
- Enable IP info
- View some Special:Contributions page and uncollapse IP information section (this will set mw-ipinfo-infobox-expanded in LocalStorage to 1)
- Create an external webpage with <iframe src="https://test.wikipedia.org/wiki/Special:Contributions/127.0.0.1"></iframe>
- View this external webpage
- This will show IP info by default which is logged.
Other users viewing that external webpage will have a log recorded (if mw-ipinfo-infobox-expanded is 1 in the second case but assumed always in the first case). If a Checkuser is compromised, they will know the IP of any such users without any scrutiny (since viewing ipinfo log is not logged) if combined with the access log of the external webpage.