DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-985R-Q3QP-299H: GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover

#security #cve #cybersecurity #ghsa

GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover

Vulnerability ID: GHSA-985R-Q3QP-299H
CVSS Score: 8.8
Published: 2026-06-26

An incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the editUser and updateUserRights endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.

TL;DR

An incomplete security patch in phpMyFAQ allows low-privilege administrative accounts to bypass authorization controls. By submitting crafted requests to vulnerable API endpoints, attackers can modify SuperAdmin account profiles or elevate their own privileges, resulting in full application takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network
  • CVSS v3.1 Score: 8.8
  • EPSS Score: Not Available
  • Vulnerability Type: Insecure Direct Object Reference (IDOR)
  • Impact: Privilege Escalation & Account Takeover
  • Exploit Status: poc
  • KEV Status: No

Affected Systems

  • phpMyFAQ deployments with administrative API routes enabled
  • phpMyFAQ: <= 4.1.3

Mitigation Strategies

  • Restrict network access to the admin panel via IP blocklists or VPN gateways.
  • Enable query-level logging to monitor parameters passed to user-modification endpoints.
  • Deploy WAF rules to detect and alert on unauthorized PUT requests containing administrative user IDs in the JSON payload.

Remediation Steps:

  1. Identify the current phpMyFAQ deployment version.
  2. Download and install the updated PHP package containing the complete authorization validation logic for UserController.
  3. Audit the administrative user list to verify that no unauthorized low-privilege users have changed their associated email addresses or group roles.
  4. Invalidate all active administrative sessions post-upgrade to enforce new access-control checks.

References

Read the full report for GHSA-985R-Q3QP-299H on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)