phpMyFAQ Duplicate Email Registration Vulnerability Allowing Multiple Accounts with Same Email

A vulnerability in phpMyFAQ versions 4.0-nightly-2025-10-03 and prior allows users to register multiple accounts using the same email address. This lack of email uniqueness can lead to account confusion and, in some cases, privilege escalation or account takeover, especially since email is commonly used for password resets and administrative notifications.

Impact

This vulnerability can cause a loss of accountability in user actions, as multiple accounts can be associated with a single email. It also creates ambiguity in password reset processes, allowing potential account takeover. Additionally, if one of the accounts with the duplicated email has administrative rights, it could lead to unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, register a user account with a specific email address. Then, register another account using the same email. Both accounts will be listed under the user management section in the admin panel.

Remediation

Users can update to phpMyFAQ version 4.0.13, where this vulnerability has been fixed.