phpList 3.5.5 released: Security fixes and more


phpList 3.5.5 is now available for download, including several security fixes reported by: Dino Covotsos of Telspace Systems, @xheni,  @r0ck3t1973, Songohan22 .
This release also includes 5 other changes that fix other bugs, or help improve usability and functionality.

You can update your phpList installation using the Automatic Updater, or you can download it directly from Sourceforge.

Changes in this release

Usability improvements and functionality enhancements:

  1. Avoided warnings about $pageroot when phplist is installed in the web root, and improved warning message to include values that don’t match – thanks to @duncanc, see the pull request
  2. Removed redundant code following changes included in phpList 3.5.4 – thanks to @duncanc, see the pull request
  3. Added SameSite to the browsetrail cookie to handle warnings in Firefox – The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context – more information in the mantis issue, thanks to @duncanc for raising this
  4. Correct description on “CLICKTRACK” value in config_extended.php — thanks to @hiroyuki-sato for noticing and updating the information.
  5. Avoid listing “All lists” and “All public lists” among available option when “List Exclude” is used


1. [Security Fix]: Error-based SQL Injection vulnerability exists via the Import Administrators Section
2. [Security Fix]: Code Injection via “Import administrators”

Special thanks to Dino Covotsos of Telspace Systems, for disclosing his findings in a very responsible way.

3. [Security Fix]: Cross Site Scripting Vulnerability on “Send a campaign” page: The “Send a web page” URL value has now been encoded and the emails set to receive the notifications are verified.
4. [Security Fix]: Cross Site Scripting Vulnerability on “Manage administrators” – the email address of an admin has now been sanitized
5. [Security Fix]: Cross Site Scripting Vulnerability on “Bounce rules” – unnecessary JS action has now been removed
6. [Security Fix]: Cross Site Scripting Vulnerability on “Name of the organisation” option of “Settings” page – the use of tags has now been restricted and JS disallowed
7. [Security Fix]: Cross Site Scripting Vulnerability on “Import subscribers” via SVG upload – tags in CSV import headers have now been ignored

Special thanks to community contributor @Songohan22 for reporting the issues.

8. [Security Fix]: Implement XSS filter /lists/admin/spageedit.php and /lists/admin/editlist.php — thanks to @xheni for reporting the issues and providing the fixes
9.  Fixed “Save Changes” on  the “Lists” page, now allowing updates in lists’ status (Public vs Private) and order in bulk — thanks to @xheni  for providing the fix.

phpList 3.5.5


This release is the work of Duncan Cameron, Xheni Myrtaj, Dino Covotsos and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.


Need help upgrading your phpList server to the newest version? Ask the community at Professional support from community experts, as well as manuals, source code, and developer resources, can be found at Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

Leave a Reply