The second vulnerability allows remote attackers to execute arbitrary commands on the server PHPlist is hosted on. This is a major security breach and should be avoided at all cost. This vulnerability can be avoided by adding the following content in a file called ".htaccess" in the admin directory of PHPlist.
<FilesMatch ".(php|inc)$">
Order allow,deny
deny from all
</FilesMatch>
<FilesMatch "index.php$">
Order allow,deny
allow from all
</FilesMatch>