Yes, this is my understanding as well – from the first post link, it appears CORS does not directly support multiple sites.
However, I imagine it is quite common that many users would like to be able to use one phpList install across multiple domains. So I worry that a number of installs have set it to wildcard and are now at risk.
But after thinking through the problem, the attacks seem relatively esoteric. It would be a much bigger risk if the admin interface applied ACCESS_CONTROL_ALLOW_ORIGIN, but that’s only applied to the end user interface. Those pages don’t expose end users e-mail addresses in plaintext (and not without the UID either). So any potential attacker would already need to know the user’s e-mail address, which is possible, but at that point CORS doesn’t become the limiting factor as there are workarounds.
That said, it would be great if phpList could handle multiple whitelisted sites for CORS, but given how minimal the attacks are, it does not seem like a risk in practicality to me. What do you think?