This is the standard best-practice way to store passwords, and would be much improved over the current implementation, even after CVE-2020-8547 was fixed in phpList v3.5.1.
Unfortunately, I see that phpList’s minimum system requirements lists php v5.3.3, but php’s password hashing functions were not introduced until php v5.5.5. Is there a strong use case for supporting <= 5.5.5? If not, could it be bumped to php v5.5.5 so phpList can make use of password_hash(), password_verify(), etc?
Actually, the minimum PHP version to be able to safely use the PHP password functionality can be as low as PHP 5.3.7, due to the availability of ircmaxell/password_compat on packagist.
This makes the modern password functions available for PHP starting from PHP 5.3.7
This means phpList would only need to raise the minimum version of PHP from 5.3.3 to 5.3.7 and add ircmaxell/password_compat as a requirement via composer to be safely use the modern password hashing functionality.
A blog post on how to update passwords from the old hashes to the new hases can be found here.