phpMyFAQ phpMyFAQ The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled library XML-RPC we use in phpMyFAQ 1.4 and 1.5.
The bundled XML-RPC library allow injection of arbitrary PHP code into eval() statements. This is caused by an improper handling of XMLRPC requests and responses that are malformed in a certain way.
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.11 and 1.5.0 RC7, which incorporate a fixed bundled library XML-RPC. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
As a temporary hotfix you can delete your xmlrpc.php and xmlrpcs.php file in the directory inc/ so that your FAQ will not easily allow execution of maliclius XML-RPC method calls.
The phpMyFAQ Team would like to thank Stefan Esser and the Hardened-PHP Project for discovering this vulnerability. The Hardened-PHP Project has also released a more detailed advisory.