GHSA-XVP4-PHQJ-CJR3: Insecure Direct Object Reference (IDOR) Leading to Account Takeover in phpMyFAQ

Vulnerability ID: GHSA-XVP4-PHQJ-CJR3
CVSS Score: 8.8
Published: 2026-05-20

phpMyFAQ versions prior to 4.1.3 contain a critical Insecure Direct Object Reference (IDOR) vulnerability within the administration API. An authenticated attacker with basic user-edit privileges can exploit this flaw to overwrite the password of any higher-privileged user, including the SuperAdmin account. This leads to complete application compromise.

TL;DR

An IDOR vulnerability in phpMyFAQ < 4.1.3 allows authenticated low-privileged administrators to purposefully reset the SuperAdmin password, resulting in total privilege escalation and account takeover.

⚠️ Exploit Status: POC

Technical Details

CVE ID: GHSA-xvp4-phqj-cjr3
CVSS Score: 8.8
Attack Vector: Network
Authentication Required: Low Privilege (USER_EDIT)
CWE ID: CWE-639, CWE-285
Impact: Complete Account Takeover
Exploit Status: PoC Available

Affected Systems

phpMyFAQ (< 4.1.3)
phpmyfaq/phpmyfaq: < 4.1.3 (Fixed in: 4.1.3)

Mitigation Strategies

Upgrade phpMyFAQ to version 4.1.3 or later.
Implement WAF rules to restrict PUT requests to the vulnerable API endpoint.
Audit administrative accounts to ensure minimal distribution of the USER_EDIT permission.
Enable verbose auditing for administrative actions, specifically monitoring the USER_CHANGE_PASSWORD event.

Remediation Steps:

Back up the current phpMyFAQ database and file system.
Download the latest stable release (>= 4.1.3) from the official repository or via Composer.
Deploy the updated application files over the existing installation.
Run the phpMyFAQ update script to apply any necessary database migrations.
Verify the integrity of all administrative accounts and reset the password of the SuperAdmin account as a precaution.