CVE-2007-2372

phpMyNewsletter <0.8 beta5 - Open Redirect

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2372. PoCs published by BlackHawk.

AI-analyzed exploit summary This exploit targets phpMyNewsletter <= 0.8 (beta5) by either deleting configuration values or sending unauthorized emails to subscribers. It leverages authentication bypass and improper access control vulnerabilities.

Description

admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by BlackHawk · phpwebappsphp

https://www.exploit-db.com/exploits/3671

View Code ZIP pw:eip

This exploit targets phpMyNewsletter <= 0.8 (beta5) by either deleting configuration values or sending unauthorized emails to subscribers. It leverages authentication bypass and improper access control vulnerabilities.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: phpMyNewsletter <= 0.8 (beta5)

No auth needed

Prerequisites: Network access to the target application · Knowledge of the target path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/23342

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/3671

Scores

EPSS 0.0820

EPSS Percentile 94.2%

Details

Status published

Products (1)

gregory_kokanosky/phpmynewsletter < 0.8_beta_5

Published Apr 30, 2007

Tracked Since Feb 18, 2026