Recently two vulnerabilities have been found in older versions of PHPlist. Everyone is urgently advised to upgrade to the latest release.

The first vulnerability allows anyone to access the details of your users. This causes a breach of privacy as well as can be exploited by originators of unsolicited emails.

The second vulnerability allows remote attackers to execute arbitrary commands on the server PHPlist is hosted on. This is a major security breach and should be avoided at all cost. This vulnerability can be avoided by adding the following content in a file called ".htaccess" in the admin directory of PHPlist.

<FilesMatch ".(php|inc)$">
Order allow,deny
deny from all
</FilesMatch>
<FilesMatch "index.php$">
Order allow,deny
allow from all
</FilesMatch>