Command Injection warning in class-phpmailer.php

  • Hi

    I am getting warnings from my service provider about Command Injection vulnerability in class-phpmailer.php
    What should I do? Is this going to be fixed to the next WordPress version or should I do something to the current WP installations?

Viewing 3 replies - 1 through 3 (of 3 total)

  • Have a read here:

    https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/

    Many links there, look at the update notes at bottom and watch for an update. The issue is with an older PHP Library that WordPress Core, Themes and Plugins use.

    eaglejohn

    (@danielbenjamins)

    When I go to a clients website (which hosting provider gave out a warning about this) and open class-phpmailer.php, I see it’s version 5.2.14. The website is running WordPress 4.7 (so latest version) and all plugins are up to date.

    “If you are using PHPMailer older than 5.2.18 in your own PHP applications, themes or plugins, please upgrade to PHPMailer 5.2.18 or newer immediately.”

    Conclusion: WordPress 4.7 (latest version) is using and old phpmailer version?

    Please do not bring attention to such issues. It is not in your interest assuming that interest is protecting your own site. Fixing which PHP Library is used, regardless of which is asked for, is a host issue.

    Find a better one.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Command Injection warning in class-phpmailer.php’ is closed to new replies.