PHPmailer has Remote Code Execution Vulnerability Affecting Millions: Hackers get huge present on Christmas Day
A critical vulnerability in the nearly ubiquitous PHPmailer transport class was published by Dawid Golunski of LegalHackers on Christmas day (CVE-2016-10033). The PHPMailer code class is one of the world's most popular transport classes, with an estimated 9 million users worldwide. It is one of the most popular code classes to send email via PHP and is the primary method used in many open-source projects such as WordPress, Joomla, Drupal, 1CRM, SugarCRM, Yii, and many more. It is also used in plugins, modules, extensions and themes in many of these CMSs.
The vulnerability disclosed is a Remote Code Execution so it is a serious vulnerability. Many vendors are scrambling to determine just how vulnerable they are and the big open-source CMS companies (WordPress, Joomla, and Drupal) have not yet released patches.
As Dawid Golunski described in his advisory, "to exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class."
All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, so web administrators and developers are strongly recommended to update to the patched release.
The staff at SlickRockWeb are taking this vulnerability seriously and the day after Christmas we were already identifying plugins, themes and core files that could be affected. We have also begun applying a custom patch to all of our customer sites' well in advance of the vendor patches which as of yet have not been released.
If you have any questions about this vulnerability and whether you think you might be affected do not hesitate to call us at 1-800-975-5695.
We will be providing more updates as we discover more information and as more information by other security analysts are published about this vulnerability.
[UPDATE - 12/28/16: Dawid Golunski discovered that the patch for the RCE exploit he found in PHPmailer that was implemented in 5.2.18 has created a new 0-day exploit. All web administrators and developers are strongly recommended to update to the 5.2.21 version of PHPmailer which fixes this inadvertent 0-day exploit. Note the 5.2.21 version also covers the original RCE vulnerability first discovered by Dawid. ]