phpMyFAQ is an open-source FAQ web application widely used for managing frequently asked questions on websites. Versions prior to 4.0.16 contain a critical vulnerability identified as CVE-2025-69200, classified under CWE-202 (Exposure of Sensitive Information Through Data Queries). The vulnerability arises because the application allows unauthenticated remote attackers to trigger the creation of a configuration backup ZIP file via a POST request to the /api/setup/backup endpoint. This ZIP file is then stored in a web-accessible location, enabling attackers to download it without any authentication or user interaction. The backup archive includes sensitive configuration files such as database.php, which contains database credentials and other critical configuration data. This exposure can lead to high-impact information disclosure, providing attackers with credentials that could facilitate further attacks, including database compromise, data exfiltration, or lateral movement within the network. The vulnerability does not affect the integrity or availability of the system directly but poses a significant confidentiality risk. The issue was addressed and fixed in phpMyFAQ version 4.0.16 by restricting access to the backup functionality and securing the storage location of backup files. No known exploits have been reported in the wild as of the publication date, but the vulnerability's ease of exploitation and impact warrant immediate attention.

For European organizations, this vulnerability poses a substantial risk to confidentiality, particularly for entities that deploy phpMyFAQ in public-facing environments or intranets with insufficient access controls. Exposure of database credentials can lead to unauthorized access to backend databases, potentially resulting in data breaches involving personal data protected under GDPR. This can cause regulatory penalties, reputational damage, and operational disruptions. Organizations in sectors such as government, healthcare, finance, and critical infrastructure that rely on phpMyFAQ for knowledge management may face increased risk of targeted attacks leveraging this vulnerability. Additionally, the ease of exploitation without authentication means attackers can operate remotely and anonymously, increasing the threat landscape. The lack of impact on integrity and availability limits direct service disruption, but the potential for follow-on attacks elevates the overall risk profile.

European organizations should immediately upgrade all phpMyFAQ installations to version 4.0.16 or later to remediate this vulnerability. Until upgrades can be applied, organizations should implement strict network-level access controls to restrict access to the /api/setup/backup endpoint, ideally limiting it to trusted administrative IP addresses only. Web server configurations should be reviewed to prevent direct access to backup files or directories where such archives might be stored. Monitoring and logging of access to backup-related endpoints should be enabled to detect any suspicious activity. Additionally, organizations should audit their phpMyFAQ configurations and remove any unnecessary backup files from web-accessible locations. Regular vulnerability scanning and penetration testing should include checks for this vulnerability. Finally, organizations should review database credentials and rotate them if there is any suspicion of compromise due to this vulnerability.