phpList 3.5.4 released: Security Release


phpList 3.5.4 is now available for download, including several security fixes reported by: @r0ck3t1973, Songohan22 and Penghui Li, Sarthak Saini and  Carlos Ramírez.

Additionally, this release includes a “Beta” version of “Generate Preview” option that makes it possible for you to see how the preview of your campaign will look in most email clients.
You can check what the current implementation can and can not do here and you can propose  future improvements in the mantis issue.
Thanks to @samtuke for implementing this.

Changes in this release

Usability improvements and functionality enhancements:

  1. Clickable link at the top of the click stats page — thanks to @samtuke, see [the pull request](
  2.  Added HTTP_Request2 as a fallback when curl is not available — thanks to @duncanc, see [the pull request]( for more details.
  3. Updater menu entry is now shown only for superusers
  4. The updater handles deletion of broken symlinks
  5.  Help added for the website field on the Settings page and updated help texts about date format and ‘ tracking codes — thanks to @duncanc


  1. [Security Fix]: Implement XSS filters in /lists/admin/admin.php and /lists/admin/admins.php — thanks to Sarthak Saini for reporting the issue and @xh3n1 for providing the fix.
  2. [Security Fix]: Implement XSS filter in /lists/admin/user.php and /lists/admin/users.php — thanks to Carlos Ramírez from wizlynx group for reporting the issue.
  3. [Security Fix]: Implement XSS filter in /lists/admin/editattributes.php — thanks to @r0ck3t1973 for reporting the issue
  4. [Security Fix]: Implement XSS filter in /lists/admin/send_core.php — thanks to @r0ck3t1973 for reporting the issue
  5. [Security Fix]: Implement XSS filter in /lists/admin/connect.php and /lists/admin/subscribelib2.php — thanks to @r0ck3t1973  for reporting the issue
  6. [Security Fix]: Implement XSS filter in /lists/admin/configure.php and /lists/admin/list.php — thanks to @r0ck3t1973 for reporting the issue
  7. [Security Fix]: Implement XSS filter in /lists/admin/importsimple.php and /inc/magic_quotes.php — thanks to @Songohan22  for reporting the issue
  8. [Security Fix]: Switch to strict comparison in  /lists/admin/index.php and  /lists/admin/subscribelib2.php — thanks to @peng-hui for reporting the issue
  9. Updated default list of TLDs — thanks to @duncanc for pointing it out the problem
  10. Fixed incorrect statistics link in German installations, due to incorrect translation see [mantis issue]( — please consider that fetching translations won’t fix the issue for now. It’s the update itself that uses the corrected version. Thanks to @jimbocity for reporting it.
  11. Fixed broken link in the Install file — thanks to [Hiroyuki Sato](


  • Changed config value for “$database_host ” from ‘localhost’ to ‘dbhost’ — enabling a default setup that works with a DB that is not on the same machine


This release is the work of Duncan Cameron, Sam Tuke, Xheni Myrtaj and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.


Need help upgrading your phpList server to the newest version? Ask the community at Professional support from community experts, as well as manuals, source code, and developer resources, can be found at Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

Leave a Reply