phpMyFAQ is an open source FAQ web application widely used for managing frequently asked questions on websites. Versions 4.0.14 and 4.0.15 contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-68951 (CWE-79). The vulnerability arises from improper neutralization of input during web page generation. Specifically, when a user registers with a display name containing malicious HTML entities, these entities are decoded server-side and rendered in the administrator’s user list page without proper escaping or sanitization. This allows an attacker to inject and execute arbitrary JavaScript code within the administrator’s browser context. Since the malicious script runs with admin privileges, it can potentially steal session cookies, perform actions on behalf of the admin, or pivot to other internal systems. Exploitation requires the attacker to register a user account with a crafted display name and relies on an administrator viewing the user list, which involves user interaction. The vulnerability does not require prior authentication to register but does require admin interaction to trigger. The issue is fixed in phpMyFAQ version 4.0.16. The CVSS 3.1 base score of 5.4 reflects network attack vector, low attack complexity, no privileges required, but user interaction is needed, and the impact is limited to confidentiality and integrity without availability impact. No known exploits are reported in the wild as of now.

For European organizations using phpMyFAQ versions 4.0.14 or 4.0.15, this vulnerability poses a moderate risk. An attacker could leverage this XSS flaw to execute malicious scripts in the context of an administrator’s browser, potentially leading to session hijacking, unauthorized actions, or data leakage. This could compromise the confidentiality and integrity of the FAQ system and possibly other connected internal resources if the admin’s session is hijacked. Organizations relying on phpMyFAQ for internal knowledge bases or customer support might face reputational damage and operational disruption if attackers exploit this vulnerability. However, the impact is somewhat limited by the need for an attacker to register a user and for an administrator to view the user list, which may reduce the likelihood of exploitation. Since no known exploits are reported in the wild, the immediate threat level is moderate but should not be underestimated, especially in environments with high-value administrative access or sensitive information stored in phpMyFAQ.

European organizations should promptly upgrade phpMyFAQ to version 4.0.16 or later, where the vulnerability is patched. Until the upgrade is applied, organizations can implement strict input validation and output encoding on user-supplied data, especially display names, to prevent HTML entity injection. Restricting registration capabilities or implementing CAPTCHA and email verification can reduce the risk of automated malicious registrations. Administrators should be cautious when viewing the user list and consider limiting access to this page to trusted personnel only. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regularly monitoring logs for suspicious user registrations or unusual admin page access patterns can help detect exploitation attempts. Finally, educating administrators about the risk and signs of XSS attacks will improve incident response readiness.