CVE-2025-68951
Unknown Unknown - Not Provided
Stored XSS in phpMyFAQ Admin User List Allows Script Execution

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: GitHub, Inc.

Description
phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68951
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
phpmyfaq phpmyfaq 4.0.16
phpmyfaq phpmyfaq 4.0.15
phpmyfaq phpmyfaq 4.0.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in phpMyFAQ versions 4.0.14 and 4.0.15. An attacker can register a user account with a display name containing malicious HTML entities. When an administrator views the admin user list, the server decodes and renders this display name without proper escaping, causing the malicious JavaScript to execute in the administrator's browser.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary JavaScript in the administrator's browser, potentially leading to unauthorized actions performed with admin privileges, theft of sensitive information, session hijacking, or further compromise of the application.

Mitigation Strategies

Upgrade phpMyFAQ to version 4.0.16 or later, as this version contains a patch that fixes the stored cross-site scripting (XSS) vulnerability.

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your phpMyFAQ installation is running a vulnerable version (4.0.14 or 4.0.15) and by inspecting the admin user list for user display names containing HTML entities that could be decoded and executed as scripts. A practical detection method is to attempt registering a user with a display_name containing HTML entity-encoded XSS payloads (e.g., `<img src=x onerror=alert(1)>`) and then viewing the admin user list to see if the payload executes. For command-line detection, you can check the installed version of phpMyFAQ or search the codebase for the presence of the `| raw` filter on `user.display_name` in the Twig templates. For example, use the following command in the phpMyFAQ directory to find vulnerable code: `grep -r '{{ user.display_name | raw }}' phpmyfaq/assets/templates/admin/user/`. If this pattern exists, the system is likely vulnerable. Additionally, verify the version by checking the version file or metadata. Upgrading to version 4.0.16 or later patches the issue. [3, 1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart