The vulnerability lies in the DELETE /admin/api/content/tags/{tagId} endpoint of phpMyFAQ prior to 4.1.2. It lacks proper authorization checks, allowing any authenticated user to request the deletion of a tag by supplying a valid session cookie. The action removes the tag permanently, causing loss of organized content in the FAQ module and potential confusion for end users. This flaw does not enable code execution or data exfiltration, but it delivers persistent data‑loss impact and undermines the integrity of the FAQ content.

phpMyFAQ is distributed by the Thorsten team. All installations running phpMyFAQ before version 4.1.2 are susceptible because this version contains the unauthenticated deletion logic. Users of later releases are safe. The vulnerability is tied to the web application's administrative API.

Since the flaw appears only after the user has authenticated to the web application, any compromised or voluntarily logged‑in user can exploit it. No special network access or elevated privileges beyond standard authentication are required. The CVSS base score of 5.3 indicates a medium severity due to the potential for persistent data loss. The EPSS score is < 1% (approximately 0.0004), indicating a very low but non‑zero likelihood of exploitation, and the issue is not listed in CISA’s KEV catalogue, suggesting limited publicly known exploitation. In environments where many users have access, the risk of accidental or malicious tag deletion rises, warranting prompt attention.