A malicious site can cause MediaWiki to output an Access-Control-Allow-Origin header allowing CORS requests for the malicious site by ensuring that the origin contains an allowed origin as a prefix.
For example, a request from http://en.wikipedia.org.evilsite.example/ would match a $wgCrossSiteAJAXdomains entry for "en.wikipedia.org".