CVE-2014-6046

HIGH

phpmyfaq < 2.8.13 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6046.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in phpMyFAQ 2.8.X, including persistent XSS via unfiltered User-Agent and Referer headers, unauthenticated FAQ data disclosure, and CSRF attacks for user credential manipulation and configuration changes.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open questions, (3) activate users, (4) publish FAQs, (5) add or delete Glossary, (6) add or delete FAQ news, or (7) add or delete comments or add votes by leveraging lack of a CSRF token.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/34580

The exploit demonstrates multiple vulnerabilities in phpMyFAQ 2.8.X, including persistent XSS via unfiltered User-Agent and Referer headers, unauthenticated FAQ data disclosure, and CSRF attacks for user credential manipulation and configuration changes.

Classification
Working Poc 95%
Attack Type
Xss | Info Leak | Auth Bypass | Other
Complexity
Trivial
Reliability
Reliable
Target: phpMyFAQ 2.8.X (>= 2.8.12)
No auth needed
Prerequisites: Access to the target phpMyFAQ instance · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
http://techdefencelabs.com/security-advisories.html
Vendor Advisory x_refsource_confirm
https://www.phpmyfaq.de/security/advisory-2014-09-16

Scores

CVSS v3 8.8
EPSS 0.0193
EPSS Percentile 77.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
phpmyfaq/phpmyfaq < 2.8.13
Published Aug 28, 2018
Tracked Since Feb 18, 2026