Security Advisory 2025-12-29
Stored cross-site scripting (XSS) and unauthenticated config backup download vulnerability in phpMyFAQ
- Issued on:
- 2025-12-29
- Software:
- phpMyFAQ <= 4.0.15
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of security issues that'd been discovered in phpMyFAQ 4.0.15 and earlier.
Description
A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an
administrator’s browser by registering a user whose display name contains HTML entities (e.g., <img ...>). When
an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting
in script execution in the admin context.
An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and
then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files
(e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on
compromise.
Solution
The phpMyFAQ Team has released the new phpMyFAQ versions 4.0.16 and 4.1.0-RC, which fix the vulnerabilities. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.15 or 4.1.0-RC.
Thanks
The phpMyFAQ team would like to thank **eclipse07077** for the responsible disclosures of this vulnerability.