PHPMailer Remote Code Execution Vulnerability

PHPMailer is world’s one of the most popular and frequently used code for sending email from PHP based applications, with an estimated 9 million users worldwide. This is being used by many open-source projects like WordPress, SugarCRM, Drupal, Yii etc.

Polish researcher Dawid Golunski found a critical remote code execution vulnerability in PHPMailer. All versions of PHPMailer before the critical release of 5.2.18 are affected by this Remote Code Execution Vulnerability.

According to researcher posted on Legal Hackers, “To exploit the vulnerability, an attacker could target common website
components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

Note: This is a limited advisory to give users a chance to urgently update their PHPMailer class before disclosing the details. Details of this vulnerability will be published shortly. ”

CVE MITRE assigned the following ID to this vulnerability: CVE-2016-10033
Here is a quick snapshot of vulnerable code in PHPMailer available at Github.

Mitigations: The vendor has released a quick security release for this. It is recommended to upgrade the PHPMailer version to PHPMailer 5.2.18
The vendor released a critical security release of PHPMailer 5.2.18 to fix the issue as notified at:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

Since the discussed vulnerability has a critical security impact, it is recommended to patch this vulnerability as soon as possible.