phpMyFAQ 2.9.8 Cross Site Scripting

`# Exploit Title: phpMyFAQ 2.9.8 Stored XSS  
# Vendor Homepage: http://www.phpmyfaq.de/  
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip  
# Exploit Author: Ishaq Mohammed  
# Contact: https://twitter.com/security_prince  
# Website: https://about.me/security-prince  
# Category: webapps  
# CVE: CVE-2017-14618  
  
1. Description  
  
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ  
through 2.9.8 allows remote attackers to inject arbitrary web script or  
HTML via the Questions field in an "Add New FAQ" action.  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618  
  
2. Proof of Concept  
  
Steps to Reproduce:  
1. Open the affected link "http://localhost/phpmyfaq/  
admin/?action=editentry" with logged in user with administrator privileges  
2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the  
aQuestionsa  
3. Save the FAQ  
4. Login using any other user or simply click on the phpMyFAQ on the  
top-right hand side of the web portal  
5. Click on the latest FAQ added  
6. Hover around the name "xss link"  
  
  
3. Solution:  
  
The issue is now patched by the vendor  
https://github.com/thorsten/phpMyFAQ/commit/30b0025e19bd95ba28f4eff4d25967  
1e7bb6bb86  
  
--   
Best Regards,  
Ishaq Mohammed  
https://about.me/security-prince  
`