8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59943

GHSA ID

GHSA-9wj2-4hcm-r74j

EPSS Score

CWE

CWE-284

Published

10/3/2025

Updated

10/3/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59943

CVE-2025-59943: phpMyFAQ duplicate email registration allows multiple accounts with the same email

Summary

phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover.

Details

An account management logic flaw in phpMyFAQ allows attackers to register multiple accounts under the same email address. If email is used for password reset or administrative flows, this may result in account takeover, loss of accountability, and abuse of business logic.

PoC

1.Register a user with email test@example.com 2.Register another user with the same email. 3.Both accounts appear in /admin/?action=user&user_action=listallusers. <img width="1150" height="628" alt="image" src="https://github.com/user-attachments/assets/8c19f01a-e897-4ca7-b3f8-fcf83e6ff952" />

Impact

-Data integrity loss: Multiple accounts mapped to one email break auditability. -Password reset ambiguity: If reset flow relies on email only, attackers can target or take over accounts. -Privilege escalation: If one account with the same email has admin privileges, an attacker controlling the email may escalate. -Spam / DoS: Attackers can mass-register accounts with a single email to pollute the system.

This is a business logic / authentication vulnerability. Impacted users are anyone relying on phpMyFAQ’s account system where email is assumed to be unique.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59943

GHSA ID

GHSA-9wj2-4hcm-r74j

EPSS Score

CWE

CWE-284

Published

10/3/2025

Updated

10/3/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
thorsten/phpmyfaq	composer	>= 4.0.7, < 4.0.13	4.0.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows multiple user accounts to be created with the same email address due to a lack of uniqueness enforcement during registration. The root cause is the absence of a check to verify if an email address is already present in the system before creating a new user.

The analysis of the patch commit 44cd20f86eb041f39d1c30a9beefad1cc61dc0ec reveals the exact locations of the flaw. The developers added email validation logic in two key functions:

phpMyFAQ\Helper\RegistrationHelper::createUser: This is the high-level function that orchestrates the user registration process. The patch adds a block of code to call a new emailExists() method on the UserData object. If the email exists, the registration is halted. This function is the most direct entry point for the vulnerability described in the proof-of-concept.
phpMyFAQ\User::createUser: This is a more fundamental user creation function. It was also patched to handle cases where the username (login) itself is an email address. It now checks if the provided login is an email and, if so, verifies its uniqueness in the userdata table.

By identifying these two functions, we can conclude that any runtime profile capturing a user registration event that triggers this vulnerability would show phpMyFAQ\Helper\RegistrationHelper::createUser in the stack trace, which in turn calls phpMyFAQ\User::createUser. Both were processing potentially malicious input (a duplicate email) without proper validation.

Vulnerable functions

phpMyFAQ\Helper\RegistrationHelper::createUser

phpmyfaq/src/phpMyFAQ/Helper/RegistrationHelper.php

This function is the primary entry point for user registration. Before the patch, it directly called `$user->createUser()` without checking if the provided email address was already in use. This allowed an attacker to create multiple accounts with the same email address. The patch introduces a check using `emailExists()` to ensure the email is unique before proceeding with user creation.

phpMyFAQ\User::createUser

phpmyfaq/src/phpMyFAQ/User.php

This is a lower-level function for creating a user. It was vulnerable because it only checked for the uniqueness of the login name, not the email. If the login name itself was an email address, it didn't check if that email was already registered in the `userdata` table. The patch adds a condition to check for email uniqueness if the login string is a valid email format.

WAF Protection Rules

WAF Rule

### Summ*ry p*pMy**Q *o*s not *n*or** uniqu*n*ss o* *m*il ***r*ss*s *urin* us*r r**istr*tion. T*is *llows multipl* *istin*t ***ounts to ** *r**t** wit* t** s*m* *m*il. ****us* *m*il is o*t*n us** *s *n i**nti*i*r *or p*sswor* r*s*ts, noti*i**tions, *

Reasoning

T** vuln*r**ility *llows multipl* us*r ***ounts to ** *r**t** wit* t** s*m* *m*il ***r*ss *u* to * l**k o* uniqu*n*ss *n*or**m*nt *urin* r**istr*tion. T** root **us* is t** **s*n** o* * ****k to v*ri*y i* *n *m*il ***r*ss is *lr***y pr*s*nt in t** sy

8.1

Basic Information

Concerned about an active attack path?

CVE-2025-59943: phpMyFAQ duplicate email registration allows multiple accounts with the same email

Summary

Details

PoC

Impact

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI