: Setting allow_php_templates = 1 transforms the template into a remote code execution (RCE) vector. Never enable it on multi-tenant or public-facing installs. 10. Modernizing PHPList Templates (Migration Patterns) If you must integrate PHPList into a modern stack, consider these patterns: Pattern A: Headless Placeholder Provider Write a plugin that fetches template HTML from an external API:
SELECT template FROM phplist_templatetemplate WHERE id = 42; To extend beyond [FIRSTNAME] , you must write a PHPList plugin. The hook _contentPlaceholder allows dynamic replacement: phplist templates
Use the database as your source of truth. Never enable allow_php_templates . And always, always provide a text version. Your deliverability depends on it. : Setting allow_php_templates = 1 transforms the template