phpList 3.5.1 Released: Security Release


This release is a security release – you should upgrade as soon as possible.
This vulnerability is present in all versions before 3.5.1.


This is a release to address a recently found vulnerability in the system that verifies a password when an administrator logs in. As a result, attackers can potentially gain access by using a carefully constructed, but incorrect, password.

The fix is provided by switching to using strict comparison ‘===’ on the Password validation line in this file.

If you are running on version 3.4.7 or later you can use the Automatic Updater to update your installation, or see the Download page 8 for full installation and upgrade instructions.


We want to thank Suvadip Kar for reporting and submitting the fix for the issue.
To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.


Need help upgrading your phpList server to the newest version? Ask the community at Professional support from community experts, as well as manuals, source code, and developer resources, can be found at Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.


Leave a Reply