phPay is vulnerable to email header injection. A remote attacker could inject a specially-crafted email header in the nu_mail.inc.php script, using the 'mail_text2' parameter, which could be used for sending unsolicited email messages.
Andreas Kansok phPay 2.02 and 2.02.1
Successful exploit allows remote attackers to use the server as an open mail relay.
Currently we are not aware of any vendor-supplied patches for this issue.