CVE-2005-3556 in PHPList
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in PHPlist 2.10.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listname parameter in (a) admin/editlist.php, (2) title parameter in (b) admin/spageedit.php, (3) title field in (c) admin/template.php, (4) filter, (5) delete, and (6) start parameters in (d) admin/eventlog.php, (7) id parameter in (e) admin/configure.php, (8) find parameter in (f) admin/users.php, (9) start parameter in (g) admin/admin.php, and (10) action parameter in (h) admin/fckphplist.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/13/2025
The vulnerability described in CVE-2005-3556 represents a critical cross-site scripting flaw affecting PHPlist version 2.10.1 and earlier, exposing multiple entry points where malicious actors can inject arbitrary web scripts or HTML content. This vulnerability falls under CWE-79 which specifically addresses cross-site scripting conditions, making it a fundamental web application security risk that can compromise user sessions and data integrity. The affected parameters span across various administrative interfaces within the PHPlist system, creating a comprehensive attack surface that demonstrates poor input validation practices throughout the application's codebase.
The technical flaw manifests through insufficient sanitization of user-supplied input across multiple administrative scripts including editlist.php, spageedit.php, template.php, eventlog.php, configure.php, users.php, admin.php, and fckphplist.php. Attackers can exploit these vulnerabilities by manipulating parameters such as listname, title, filter, delete, start, id, find, and action to inject malicious scripts that execute in the context of other users' browsers. The impact extends beyond simple script execution to potentially enable session hijacking, credential theft, and data manipulation within the compromised system. This vulnerability is particularly dangerous in administrative contexts where users have elevated privileges, as it could allow attackers to gain unauthorized access to sensitive system functions and data.
The operational impact of this vulnerability is significant for organizations using PHPlist for email marketing and user management. Successful exploitation could lead to unauthorized access to administrative panels, allowing attackers to modify email templates, manipulate user lists, access sensitive data, and potentially escalate privileges within the system. The widespread nature of affected parameters across multiple files indicates a systemic issue in input handling practices rather than isolated code defects. This vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1566 for credential access through web application attacks, demonstrating how XSS vulnerabilities can serve as initial access vectors for more sophisticated attacks. Organizations may face regulatory compliance issues and reputational damage if user data is compromised through these vulnerabilities.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding across all user-supplied parameters. The recommended approach includes implementing strict sanitization of all input fields, particularly those used in administrative interfaces, and employing proper context-aware output encoding for all dynamic content. Organizations should immediately upgrade to PHPlist versions 2.10.2 or later where these vulnerabilities have been addressed through proper input validation and sanitization measures. Additionally, implementing Content Security Policy headers, regular security code reviews, and input validation testing can prevent similar vulnerabilities from emerging in future deployments. The remediation process should also include security awareness training for administrators and regular vulnerability scanning to identify potential injection points throughout the application stack.