GHSA-XVP4-PHQJ-CJR3: Insecure Direct Object Reference (IDOR) Leading to Account Takeover in phpMyFAQ
Vulnerability ID: GHSA-XVP4-PHQJ-CJR3
CVSS Score: 8.8
Published: 2026-05-20
phpMyFAQ versions prior to 4.1.3 contain a critical Insecure Direct Object Reference (IDOR) vulnerability within the administration API. An authenticated attacker with basic user-edit privileges can exploit this flaw to overwrite the password of any higher-privileged user, including the SuperAdmin account. This leads to complete application compromise.
TL;DR
An IDOR vulnerability in phpMyFAQ < 4.1.3 allows authenticated low-privileged administrators to purposefully reset the SuperAdmin password, resulting in total privilege escalation and account takeover.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: GHSA-xvp4-phqj-cjr3
- CVSS Score: 8.8
- Attack Vector: Network
- Authentication Required: Low Privilege (USER_EDIT)
- CWE ID: CWE-639, CWE-285
- Impact: Complete Account Takeover
- Exploit Status: PoC Available
Affected Systems
- phpMyFAQ (< 4.1.3)
-
phpmyfaq/phpmyfaq: < 4.1.3 (Fixed in:
4.1.3)
Mitigation Strategies
- Upgrade phpMyFAQ to version 4.1.3 or later.
- Implement WAF rules to restrict PUT requests to the vulnerable API endpoint.
- Audit administrative accounts to ensure minimal distribution of the USER_EDIT permission.
- Enable verbose auditing for administrative actions, specifically monitoring the USER_CHANGE_PASSWORD event.
Remediation Steps:
- Back up the current phpMyFAQ database and file system.
- Download the latest stable release (>= 4.1.3) from the official repository or via Composer.
- Deploy the updated application files over the existing installation.
- Run the phpMyFAQ update script to apply any necessary database migrations.
- Verify the integrity of all administrative accounts and reset the password of the SuperAdmin account as a precaution.
References
Read the full report for GHSA-XVP4-PHQJ-CJR3 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)