Blind Stored XSS in administration panel in thorsten/phpmyfaq


Reported on

Dec 15th 2022


Blind stored XSS : any visitor user without any privilege can create "Proposal for a new FAQ" at the following URL and add XSS payload <img src=x onerror='alert("Stored XSS")'> in "Your question" input field allows any anonymous visitor can steal admin cookies also according the previous bug "bypass captcha" i bypass the captcha to send the request then the payload alerted in administration panel

Proof of Concept


Lead to admin account takeover also "Secure" flag is false


We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
thorsten/phpmyfaq maintainer has acknowledged this report a year ago
Thorsten Rinne gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability a year ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.10 with commit 65d419 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 31st 2023
add.php#L66 has been validated
Thorsten Rinne published this vulnerability 10 months ago
to join this conversation