PhpMyFAQ, Authentication Bypass, GHSA-w9xh-5f39-vq89 (Critical)

Listen to this Post

The vulnerability exists in phpMyFAQ’s password reset API (UnauthorizedUserController.php, lines 56‑130). The `updatePassword()` method accepts a PUT request with only a username and email in the JSON body.
When a valid pair is provided, the application immediately generates a new plaintext password, writes it to the account, and sends it via email—without any token verification, rate limiting, or email confirmation.
An attacker can first enumerate valid username/email pairs by observing the response differences (200 OK vs 409 Conflict).
Once a valid pair is known, a second PUT request forces an immediate password change, giving the attacker a new plaintext password.
The attacker can then log in as the victim (including SuperAdmin) and perform any action.
No authentication, user interaction, or special privileges are required.

DailyCVE Form

Platform: ……. phpMyFAQ
Version: …….. < 4.1.3
Vulnerability : Authentication Bypass
Severity: ……. Critical
Date: ………. 2026‑05‑20

Prediction: …. Patch by 2026‑06‑03

What Undercode Say

Enumerate valid username/email
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"[email protected]"}' \
http://target/phpmyfaq/api/user/password/update
Forced password reset (valid pair)
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"[email protected]"}' \
http://target/phpmyfaq/api/user/password/update
After reset, new password is sent in plaintext
// Vulnerable code snippet
$loginExist = $user->getUserByLogin($username);
if ($loginExist && $email === $user->getUserData('email')) {
$newPassword = $user->createPassword();
$user->changePassword($newPassword);
$mail->send(); // New password sent in plaintext
}

Exploit

  1. Enumerate valid username/email pairs by sending PUT requests and checking response codes.
  2. For any valid pair, send the same PUT request again.
  3. Receive a new plaintext password for the victim’s account via email (or intercept the email if possible).
  4. Log in as the victim using the new password – complete account takeover.

Protection from this CVE

  • Upgrade phpMyFAQ to version 4.1.3 or later.
  • Implement a time‑limited cryptographic token in the password reset flow.
  • Add rate limiting to the `/api/user/password/update` endpoint.
  • Send a verification email to the original address before resetting the password.
  • Do not send new passwords in plaintext; use a secure reset link.

Impact

  • Full administrative access to the phpMyFAQ instance.
  • Total loss of confidentiality (all user data and FAQ content exposed).
  • Total loss of integrity (attacker can modify all content and settings).
  • Total loss of availability (attacker can lock out legitimate users).
  • Account takeover for every user, including SuperAdmin.
  • No user interaction required – the attack is completely silent.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top