"Up to version 2.10.12, it provided no protection against cross site
request forgery (CSRF) at all, allowing a malicious attacker
controlling a webpage an admin visits at the time being logged into
phplist to gain full control over the phplist installation.
The vendor has released version 2.10.13, which fixes the vulnerability,
but somehow forgot to give any credit to the person reporting the
vulnerability to them."
It is recommended that phplist admins upgrade to the latest patched
version of the software.