Security Advisory 2025-11-15
Authenticated SQL Injection in Configuration Update Functionality in phpMyFAQ
- Issued on:
- 2025-11-15
- Software:
- phpMyFAQ <= 4.0.13
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of a security issue that'd been discovered in phpMyFAQ 4.0.12 and
earlier.
Description
An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and
prior) allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands.
Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all
data, as well as potential remote code execution depending on the database configuration.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 4.0.14, which fixes the vulnerability. All
users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 4.0.14.
Thanks
The phpMyFAQ team would like to thank Yihao Peng for the responsible disclosures of this vulnerability.