Store XSS in FAQ Multisites in thorsten/phpmyfaq


Reported on

Sep 1st 2023

Description I noticed, your website is very secure.

But you overlooked a flaw XSS

Proof of Concept

1 .Login vs admin demo account and access admin page.

2 .Go to Configuration ==> FAQ Multisites

3 . Edit Instance URL with payload:


4 .Edit Instance path with payload:


5 .Click Save instance ==Detect XSS

Video Poc


This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 3 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 3 months ago
Thorsten Rinne validated this vulnerability 3 months ago
HaiNguyen has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.18 with commit ec551b 3 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 30th 2023
3 months ago


great, thank you for your feedback.

Thorsten Rinne published this vulnerability 2 months ago
to join this conversation