The phpMyFAQ Team has learned of some security issues that have been discovered in phpMyFAQ 2.9.8 and earlier. phpMyFAQ contains cross-site request forgery, cross-site scripting and SQL injection vulnerabilities.
phpMyFAQ does not implement sufficient checks to avoid XSS, CSRF and SQL injection. For the XSS and CSRF vulnerabilities you need administrator privileges to be executed.
The phpMyFAQ Team has released the new phpMyFAQ versions 2.9.9 which fix the vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
There's no workaround except installing phpMyFAQ 2.9.9.
The phpMyFAQ teams would like to thank Ishaq Mohammed, Nikhil Mittal and Chirag Solanki. We also like to thank Li Ke and Zhou Junyu from Tencent's Xuanwu Lab. for the responsible disclosure of these vulnerabilities.