This vulnerability originates from the getIdFromSolutionId() function in phpMyFAQ, where the function performs no permission checks before returning FAQ information. Because of this oversight, an attacker without authentication can access titles of restricted FAQ entries by simply requesting the /solution_id_{id}.html URL. The exposed data include metadata conveyed through redirect Location headers and canonical URLs, enabling enumeration of FAQ content and the discovery of entries reserved for specific users or groups. This flaw is classified as CWE‑863, a lack of permission check that permits unauthorized information disclosure.

All installations of phpMyFAQ older than version 4.1.2 are affected. The issue exists in the getIdFromSolutionId() handler accessed through the /solution_id_{id}.html endpoint. Users running these pre‑4.1.2 releases should verify the installed version against the vendor’s release notes to determine if they are vulnerable.

The CVSS score of 7.5 indicates a high severity, and the vulnerability is exploitable remotely with no authentication required. EPSS data is not available, so the exploitation likelihood cannot be quantified, but the flaw is openly documented and the attack path is trivial to emulate. The vulnerability is not listed in CISA’s KEV catalog. Attackers can sequentially iterate numeric solution IDs to discover all FAQ entries, including those intended for only privileged audiences, thus leaking sensitive metadata. The impact primarily involves confidentiality compromise, potentially aiding further reconnaissance or targeted attacks.