CVE-2025-59943 is a high-severity vulnerability affecting phpMyFAQ, an open-source FAQ web application widely used for managing frequently asked questions and related user interactions. The vulnerability exists in versions 4.0.7 through 4.0.12 (inclusive) and stems from improper user management, specifically the failure to enforce uniqueness of email addresses during user registration. This flaw allows multiple distinct user accounts to be registered using the same email address. Since email addresses commonly serve as unique identifiers for critical functions such as password resets, notifications, and administrative actions, this ambiguity can lead to serious security issues. In particular, attackers may exploit this to cause confusion in account management processes, potentially enabling privilege escalation or account takeover under certain configurations. For example, if password reset tokens or administrative notifications are sent based solely on email address without additional verification, an attacker controlling one account with a shared email could intercept or manipulate these processes to gain unauthorized access to another account. The vulnerability is classified under CWE-286 (Incorrect Authorization) and CWE-284 (Improper Access Control), highlighting failures in enforcing proper access restrictions. The CVSS v3.1 base score is 8.1, indicating a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact on confidentiality and integrity is high, while availability is not affected. No known exploits are currently reported in the wild. The issue is resolved in phpMyFAQ version 4.0.13, which enforces email uniqueness during registration, thereby eliminating the ambiguity and associated risks.

For European organizations using phpMyFAQ versions between 4.0.7 and 4.0.12, this vulnerability poses a significant risk to user account security and data integrity. The ability to create multiple accounts with the same email can undermine authentication and authorization mechanisms, potentially allowing attackers to escalate privileges or take over accounts without needing prior credentials. This could lead to unauthorized access to sensitive FAQ content, administrative functions, or user data, compromising confidentiality and trust. Organizations relying on phpMyFAQ for customer support, internal knowledge bases, or public information dissemination may face reputational damage, data breaches, or operational disruptions if attackers exploit this flaw. The risk is heightened in environments where email is the primary or sole identifier for password resets and notifications without additional verification steps. Given the network-based attack vector and no requirement for privileges, attackers can exploit this remotely, increasing the threat surface. Although no active exploits are reported yet, the high CVSS score and the nature of the vulnerability warrant prompt attention, especially for European entities subject to strict data protection regulations such as GDPR, where unauthorized access to personal data can lead to regulatory penalties.

European organizations should immediately upgrade phpMyFAQ installations to version 4.0.13 or later, where the vulnerability is fixed by enforcing unique email addresses during user registration. Until the upgrade can be performed, organizations should implement compensating controls such as: 1) Enhancing password reset workflows to require additional verification beyond email ownership, such as multi-factor authentication or security questions. 2) Monitoring user registration logs for multiple accounts sharing the same email and manually reviewing or disabling suspicious accounts. 3) Restricting administrative actions and notifications to verified accounts with unique identifiers. 4) Implementing application-layer filters or custom patches to enforce email uniqueness if upgrading is delayed. 5) Educating users and administrators about the risks of shared email accounts and encouraging use of unique email addresses. Additionally, organizations should audit their phpMyFAQ configurations to ensure that email-based processes do not rely solely on the email address as a unique identifier and consider integrating stronger identity verification mechanisms. Regular security assessments and monitoring for anomalous account activities related to email reuse are also recommended.