The phpMyFAQ Team has learned of a serious security issue that has been discovered in our file upload functionality in phpMyFAQ 2.9.
The vulnerability is caused due to missing CSRF and file type check, which can be exploited to execute arbitrary PHP code.
This issue allows for possible remote code execution.
The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.6 which fix the vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 2.9.6.
The phpMyFAQ teams would like to thank Clifford Trigo from Invalid Web Security for the responsible disclosure of this vulnerability.