CVE-2017-15728

Vulnerability

In phpMyFAQ versions prior to 2.9.9, the application fails to sanitize the metaDescription and metaKeywords fields before output. An authenticated administrator who can edit the FAQ configuration can inject arbitrary HTML and JavaScript. The affected code path is in index.php where these meta fields were output without htmlspecialchars() encoding [1]. The fix was introduced in version 2.9.9.

Exploitation

An attacker must have administrative access to the phpMyFAQ configuration interface. No additional privileges are required beyond those of an admin role. The attacker edits the meta description or meta keywords fields to include a payload such as `. When any visitor loads pages that include these meta tags (typically the site’s global HTML `), the script executes in the victim's browser. No user interaction is required beyond normal page viewing.

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim’s session, leading to potential session hijacking, defacement, or redirection to malicious sites. The attack persists in the application’s configuration until the meta fields are cleared or the fix is applied.

Mitigation

Upgrade to phpMyFAQ version 2.9.9 or later, which applies PMF_String::htmlspecialchars() to both metaDescription and metaKeywords [1]. No workaround is available for earlier versions. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.