Multiple Stored XSS via mail parameter in thorsten/phpmyfaq


Reported on

Apr 2nd 2023


In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel (/admin/?action=question).

Proof of Concept

  1. Go to
  2. Fill up all the necessary forms except Your email address field
  3. Enter the payload in the Your email address field
  4. Submit

XSS will execute in Admin Panel (





Another XSS due to same occuerence:

Similar to this, mail parameter in every function is vulnerable to XSS! While making a comment in a FAQ, capture the request via Burp Suite and change the mail parameter to below payload.

Example REQUEST:






XSS executing on

FAQ page

PoC 2



If an attacker can control a script that is executed in the admin's browser, then they can typically fully compromise that admin user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
Aziz Hakim modified the report
2 months ago
Aziz Hakim modified the report
2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 2 months ago
Aziz Hakim has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.13 with commit 20ac51 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 30th 2023
Aziz Hakim
2 months ago


Hi, @thorsten

What's the CVE number?

Thank you for the early validation.

Thorsten Rinne published this vulnerability a month ago
Aziz Hakim
a month ago



23 days ago



Ben Harvie
20 days ago


Issue has now been fixed and the CVE has been assigned:)

Aziz Hakim
19 days ago


Thank you

to join this conversation