phpMyFAQ is an open-source FAQ management system widely used for publishing frequently asked questions and related content. In versions 4.0.16 and earlier, a critical design flaw exists in multiple public API endpoints, notably the OpenQuestionController::list() method. This endpoint calls the Question::getAll() function with the parameter showAll=true by default, which causes it to return all questions, including those marked as non-public (isVisible=false). Alongside the content, sensitive user information such as email addresses is also exposed. Similar exposure issues exist in other API endpoints handling comments, news, and FAQ data. The root cause is insufficient access control checks on these API endpoints, allowing unauthenticated attackers to retrieve data that should be restricted. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Exploitation requires no privileges or user interaction and can be performed remotely over the network. The CVSS 3.1 base score is 5.3 (medium), reflecting the ease of exploitation and limited impact on confidentiality (only email addresses and non-public content are exposed, but no integrity or availability impact). The issue was publicly disclosed and fixed in phpMyFAQ version 4.0.17, which properly restricts access to sensitive data. No known active exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a significant privacy and security risk. Exposure of user email addresses can facilitate targeted phishing campaigns, social engineering attacks, and spam, potentially leading to credential theft or malware infections. Disclosure of non-public FAQ content may reveal internal knowledge, policies, or sensitive operational information, undermining confidentiality and trust. Organizations relying on phpMyFAQ for customer support or internal knowledge bases may suffer reputational damage if private data is leaked. Since the vulnerability requires no authentication and is remotely exploitable, attackers can easily scan for vulnerable instances across Europe. The impact is particularly critical for sectors handling sensitive customer data or regulated information, such as finance, healthcare, and government agencies. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone warrants prompt remediation.

The primary mitigation is to upgrade all phpMyFAQ installations to version 4.0.17 or later, where the access control issues have been fixed. Organizations should audit their current phpMyFAQ version deployments and prioritize patching vulnerable instances. Additionally, review and tighten API endpoint access controls to ensure sensitive data is not exposed to unauthenticated users. Implement network-level protections such as web application firewalls (WAFs) to monitor and block suspicious API requests targeting these endpoints. Conduct regular security assessments and penetration tests focusing on API security. Educate users and administrators about phishing risks stemming from leaked email addresses. Where upgrading is temporarily not feasible, restrict access to the FAQ application via IP whitelisting or VPNs to limit exposure. Finally, monitor logs for unusual access patterns that may indicate exploitation attempts.