CVE-2025-68951 – This stored XSS vulnerability in phpMyFAQ allow... (How to Fix)

Q: What is the severity of CVE-2025-68951?

CVE-2025-68951 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in phpMyFAQ allows attackers to inject malicious JavaScript into administrator browsers by registering users with specially crafted display names. When administrators view the user list, the payload executes in their security context, potentially compromising admin accounts. Affects phpMyFAQ versions 4.0.14 and 4.0.15.

📋 TL;DR

This stored XSS vulnerability in phpMyFAQ allows attackers to inject malicious JavaScript into administrator browsers by registering users with specially crafted display names. When administrators view the user list, the payload executes in their security context, potentially compromising admin accounts. Affects phpMyFAQ versions 4.0.14 and 4.0.15.

💻 Affected Systems

Products:

phpMyFAQ

Versions: 4.0.14 through 4.0.15

Operating Systems: All platforms running phpMyFAQ

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installations with user registration enabled.

📦 What is this software?

Phpmyfaq by Phpmyfaq

View all CVEs affecting Phpmyfaq →

Phpmyfaq by Phpmyfaq

View all CVEs affecting Phpmyfaq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to complete system compromise, data theft, or deployment of backdoors.

🟠

Likely Case

Session hijacking of admin accounts, privilege escalation, or data exfiltration from admin sessions.

🟢

If Mitigated

Limited impact if proper input validation and output escaping are implemented.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely by registering accounts with malicious display names.

🏢 Internal Only: MEDIUM - Requires attacker to have access to user registration functionality.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user registration capability but no authentication for initial payload injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.16

Vendor Advisory: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc

Restart Required: No

Instructions:

1. Backup your phpMyFAQ installation and database. 2. Download version 4.0.16 from official repository. 3. Replace affected files with patched version. 4. Verify proper escaping in user display name handling.

🔧 Temporary Workarounds

Disable User Registration

all

Temporarily disable new user registration to prevent payload injection.

Edit configuration to disable user registration feature

Input Validation Filter

all

Implement server-side filtering of HTML entities in display names.

Add input sanitization for user registration fields

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in user registration requests.
Restrict admin panel access to trusted IP addresses only.

🔍 How to Verify

Check if Vulnerable:

Check if running phpMyFAQ version 4.0.14 or 4.0.15. Test by registering user with display name containing HTML entities and checking if they're properly escaped in admin panel.

Check Version:

Check phpMyFAQ version in admin dashboard or configuration files.

Verify Fix Applied:

After patching, verify that HTML entities in display names are properly escaped when viewed in admin user list.

📡 Detection & Monitoring

Log Indicators:

User registrations with unusual display names containing HTML entities or script tags
Multiple failed admin login attempts following user registration

Network Indicators:

HTTP POST requests to registration endpoint with suspicious payloads

SIEM Query:

source="web_logs" AND (uri_path="/register" OR uri_path="/admin/users") AND (message CONTAINS "<script>" OR message CONTAINS "&")

📊 Metadata

CVE ID: CVE-2025-68951

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: December 29, 2025

Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68951, you might also want to check these: