CVE-2020-8547
CRITICALphplist 3.5.0 - Unauthenticated Admin Login Bypass via Password Hash Type Juggling
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-8547. PoCs published by Suvadip Kar.
AI-analyzed exploit summary This is a detailed writeup explaining an authentication bypass vulnerability in phpList 3.5.0 due to PHP loose comparison. It includes vulnerable code, steps to reproduce, and a fix.
Description
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
Exploits (1)
exploitdb
WRITEUP
by Suvadip Kar · phpwebappsphp
https://www.exploit-db.com/exploits/47989
This is a detailed writeup explaining an authentication bypass vulnerability in phpList 3.5.0 due to PHP loose comparison. It includes vulnerable code, steps to reproduce, and a fix.
Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target:
phpList 3.5.0
No auth needed
Prerequisites:
Access to the login endpoint · Knowledge of a valid username
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (1)
Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47989
Scores
CVSS v3
9.8
EPSS
0.0586
EPSS Percentile
92.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
phplist/phplist
3.5.0
Published
Feb 03, 2020
Tracked Since
Feb 18, 2026