Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
Description
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in phpMyFAQ before 3.2.0-beta allows attackers to inject arbitrary JavaScript via HTML event attributes in FAQ content.
Vulnerability
Overview CVE-2023-2753 is a stored cross-site scripting (XSS) vulnerability affecting phpMyFAQ, an open-source FAQ web application. The root cause is insufficient sanitization of user-supplied content in the cleanUpContent() method within the Helper class. While the method removed ` tags, it failed to strip HTML event attributes (e.g., onerror, onclick), allowing attackers to inject executable JavaScript via attributes like onerror` [1][2][3].
Exploitation
An attacker with the ability to create or edit FAQ articles can craft malicious HTML, such as `. When this content is processed, the cleanUpContent() function removes the tags but leaves event attributes intact. The fix, implemented in commit 5401ab75d022932b8d5d7adaa771acf44fed18ba`, adds an XPath query to remove all attributes whose names start with "on", effectively neutralizing such attack vectors [3][4]. No authentication is required beyond normal content creation permissions; the payload executes when any user visits the affected FAQ page.
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript into FAQ pages viewed by other users. This can lead to session hijacking, phishing, defacement, or other client-side attacks, potentially compromising administrative accounts and the integrity of the entire FAQ platform [2][4]. The attack does not require user interaction beyond navigating to the affected page.
Mitigation
The vulnerability is fixed in phpMyFAQ version 3.2.0-beta and later. Users are advised to upgrade immediately [1][2]. There are no known workarounds, and the issue was reported via huntr.dev [4]. No evidence of active exploitation in the wild has been disclosed as of the publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thorsten/phpmyfaqPackagist | < 3.2.0-beta | 3.2.0-beta |
Affected products
2- thorsten/thorsten/phpmyfaqv5Range: unspecified
Patches
15401ab75d022fix: remove HTML event attributes
2 files changed · +12 −3
phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php+10 −1 modified@@ -18,6 +18,7 @@ namespace phpMyFAQ\Helper; use DOMDocument; +use DOMXPath; use Exception; use ParsedownExtra; use phpMyFAQ\Category; @@ -245,6 +246,14 @@ public function cleanUpContent(string $content): string $scriptTags->item($i)->parentNode->removeChild($scriptTags->item($i)); } - return preg_replace(['/\r/', '/\n/'], '', $document->saveHTML()); + $xpath = new DOMXPath($document); + $onAttributes = $xpath->query("//*/@*[starts-with(name(), 'on')]"); + foreach ($onAttributes as $onAttribute) { + $onAttribute->ownerElement->removeAttributeNode($onAttribute); + } + + $body = $xpath->query('body')->item(0); + + return preg_replace(['/\r/', '/\n/'], '', $document->saveHTML($body)); } }
tests/phpMyFAQ/Helper/FaqHelperTest.php+2 −2 modified@@ -62,8 +62,8 @@ public function testCreateFaqUrl(): void public function testCleanUpContent(): void { - $content = '<p>Some text <script>alert("Hello, world!");</script></p>'; - $expectedOutput = '<p>Some text </p>'; + $content = '<p>Some text <script>alert("Hello, world!");</script><img src=foo onerror=alert(document.cookie)></p>'; + $expectedOutput = '<p>Some text <img src="foo"></p>'; $actualOutput = $this->faqHelper->cleanUpContent($content);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.