CVE-2012-4246

phplist < 2.10.19 - Cross-Site Scripting via Page Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4246.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in phplist 2.10.9 that allows an attacker to add an admin account via a crafted POST request. It also includes an XSS payload delivery mechanism via a form submission to the send message functionality.

Description

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the (2) footer, (3) status, or (4) testtarget parameter in the send page.

Exploits (1)

exploitdb WORKING POC
htmlwebappsphp
https://www.exploit-db.com/exploits/18419

The exploit demonstrates a CSRF vulnerability in phplist 2.10.9 that allows an attacker to add an admin account via a crafted POST request. It also includes an XSS payload delivery mechanism via a form submission to the send message functionality.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: phplist version 2.10.9
No auth needed
Prerequisites: Victim must visit a malicious page hosting the exploit forms
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Patch x_refsource_confirm
http://www.phplist.com/?lid=579
Exploit x_refsource_misc
https://www.httpcs.com/advisory/httpcs24
Exploit x_refsource_misc
https://www.httpcs.com/advisories
Exploit x_refsource_misc
https://www.httpcs.com/advisory/httpcs23
Vendor Advisory x_refsource_misc
https://www.httpcs.com/advisory/httpcs25
Vendor Advisory x_refsource_misc
https://www.httpcs.com/advisory/httpcs26

Scores

EPSS 0.0714
EPSS Percentile 91.8%

Details

CWE
CWE-79
Status published
Products (23)
phplist/phplist 2.6.5
phplist/phplist 2.7.1
phplist/phplist 2.7.2
phplist/phplist 2.8.2
phplist/phplist 2.8.7
phplist/phplist 2.8.12
phplist/phplist 2.10.1
phplist/phplist 2.10.2
phplist/phplist 2.10.3
phplist/phplist 2.10.4
... and 13 more
Published Aug 12, 2012
Tracked Since Feb 18, 2026