phpMyFAQ doesn't implement sufficient checks to avoid XSS when
storing on attachments filenames. The 'sharing FAQ' functionality
allows any unauthenticated actor to misuse the phpMyFAQ application
to send arbitrary emails to a large range of targets. phpMyFAQ's
user removal page allows an attacker to spoof another user's
detail, and in turn make a compelling phishing case for removing
another user's account.