phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrator…

phpMyFAQ versions before 4.1.3 contain an insecure direct object reference vulnerability in the admin API user password endpoint. The vulnerability allows authenticated administrators to change any user's password without proper authorization verification. Attackers with low-privilege admin credentials can exploit this by modifying the userId parameter in the overwrite-password API request. This enables privilege escalation from a regular admin account to SuperAdmin level access. The vulnerability affects the admin API specifically and requires authenticated access to exploit.