Moderate severityNVD Advisory· Published Mar 31, 2023· Updated Feb 11, 2025

Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq

CVE-2023-1760

Description

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in phpMyFAQ before 3.1.12 allowed authenticated users to inject arbitrary JavaScript via the display name field, leading to session hijacking or phishing.

A stored cross-site scripting (XSS) vulnerability was discovered in the phpMyFAQ web application prior to version 3.1.12. The root cause is that user-controlled data, specifically the display name, was output in the administrative user management interface without proper HTML entity encoding. The getAllUserOptions method in the FAQ helper class directly interpolated the display name into an HTML option element without sanitization [2][3].

An authenticated attacker with the ability to modify their own display name (or a user with permission to edit users) could inject arbitrary JavaScript or HTML into the display name field. When an administrator visits the user management page, the malicious payload is rendered in the browser’s context of the phpMyFAQ backend, triggering the stored XSS [1][4].

The impact is significant because the XSS executes in the admin panel, potentially allowing the attacker to steal session cookies, perform actions on behalf of the admin, or inject misleading content (e.g., phishing forms). The vulnerability is classified as moderate severity (CVSS score not provided in sources) and is exploitable without special network access, only requiring an authenticated role with user editing privileges [2][4].

The fix, implemented in commit 56295b54062a284020fccce12a5044f9fa7d2770, enforces HTML entity encoding on the display name output using Strings::htmlentities() before embedding it in the HTML option element [3]. Users are strongly advised to update to phpMyFAQ 3.1.12 or later. No workaround was published [1][2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
thorsten/phpmyfaqPackagist	< 3.1.12	3.1.12

Affected products

Packagist/Phpmyfaqllm-fuzzy
Range: <3.1.12
Package: https://packagist.org/packages/phpmyfaq/phpmyfaq
ghsa-coords
pkg:composer/thorsten/phpmyfaq
Range: < 3.1.12
thorsten/thorsten/phpmyfaqv5
Range: unspecified

Patches

56295b54062a

fix: added missing conversion to HTML entities

https://github.com/thorsten/phpmyfaqThorsten RinneFeb 12, 2023via ghsa

commit

1 file changed · +2 −1

phpmyfaq/src/phpMyFAQ/Helper/UserHelper.php+2 −1 modified

@@ -17,6 +17,7 @@
 
 namespace phpMyFAQ\Helper;
 
+use phpMyFAQ\Strings;
 use phpMyFAQ\User;
 
 /**
@@ -58,7 +59,7 @@ public function getAllUserOptions(int $id = 1, bool $allowBlockedUsers = false):
                     '<option value="%d" %s>%s (%s)</option>',
                     $userId,
                     (($userId === $id) ? 'selected' : ''),
-                    $this->user->getUserData('display_name'),
+                    Strings::htmlentities($this->user->getUserData('display_name')),
                     $this->user->getLogin()
                 );
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7q9c-f2v8-j8gwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1760ghsaADVISORY
github.com/thorsten/phpmyfaq/commit/56295b54062a284020fccce12a5044f9fa7d2770ghsaWEB
huntr.dev/bounties/2d0ac48a-490d-4548-8d98-7447042dd1b5ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000