Cross-Site Request Forgery (CSRF) in phpList/phplist3

Valid
Reported on May 18th 2021

💥 BUG

CSRF bug to delete subscribers

💥 STEP TO REPRODUCE

  1. Create a subscribers in your account .

  2. Now try to delete subscribers using url https://tesfdsf.hosted.phplist.com/lists/admin/?page=users&start=0&find=&findby=&delete=4 here in this url no csrf token is checking . just change the delete parameter value to any id and open the url and see subscribers is deleted .

💥 VIDEO

https://drive.google.com/file/d/1twxk4LA_KPt_puKwGtrR2Iq8Pmdsm_hN/view?usp=sharing