A stored XSS and possible RCE/LFI in case of misconfiguration in thorsten/phpmyfaq. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls. This vulnerability allow an attacker to take control of the entire database and in some cases read arbitrary file or execute shell commands by writing malicious php file.