phpMyFAQ versions before 4.1.3 contain a critical authentication bypass vulnerability in the password reset endpoint. The flaw allows unauthenticated attackers to reset any user account password without requiring token verification or email confirmation. Attackers can enumerate valid usernames and obtain plaintext passwords via email, leading to complete account takeover including administrative access. This vulnerability poses a significant risk as it enables full compromise of phpMyFAQ installations.