phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the «Config – Import Administrators» page.
