[Security] Urgent: Critical php-mailer vulnerability

To the plugin author – I have another contact form plugin that I am using that has a bundled version of PHPMailer that I needed to patch. The patch was very simple and quick to do.

1. Downloaded PHPMailer from GitHub: https://github.com/PHPMailer/PHPMailer
2. Replaced these 3 files: class.phpmailer.php, class.pop3.php and class.smtp.php.

No other changes were needed. If anyone would like to quickly patch their version of PHPMailer then do the steps above.

• This reply was modified 7 years, 11 months ago by AITpro.
• This reply was modified 7 years, 11 months ago by AITpro.

Thank you – I was wondering if that was all that would be needed. I’ll do that for now, but, of course, the plugin author definitely needs to update too, but I can understand that it’s difficult at during the holidays.

Additional Note: I also tested doing the same thing with the PHPMailer version that is bundled in WordPress and everything appears to work fine.

1. Deleted these 3 files in /wp-includes/: class-phpmailer.php, class-pop3.php and class-smtp.php.
2. Uploaded these 3 new PHPMailer files to /wp-includes/: class.phpmailer.php, class.pop3.php and class.smtp.php.
3. Renamed the 3 new files to: class-phpmailer.php, class-pop3.php and class-smtp.php.

@digitaltoast – Yep, the plugin author may be on vacation. ?? Looks like the PoC attack method has been posted publicly today: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html I understand the excitement for the person who found the security vulnerabilty, but that is unacceptable to publicly publish the PoC before everyone has a chance to patch their version of PHPMailer. Instead of credit for finding this, the person who discovered this security vulnerability is now going to get a lot of shit for publicly exposing the PoC before everyone has had time to patch PHPMailer.

• This reply was modified 7 years, 11 months ago by AITpro.

Anyway I just tested the PoC attack parameters on several different contact forms and all of them are sanitizing/validating form fields. So the attack fails. I believe the only scenario that would allow the attack to succeed would be if someone was using a form that did not have any validation/sanitization code. ??

Thank you – I did wonder about that. Well, that’s a relief!

Yeah, we have had a lot of reported “security vulnerabilities” for our plugin over the years and 9 out of 10 of them are what we would call a “technical” security vulnerability. Meaning yes it is coding mistake and no that coding mistake would not allow or lead to a hacked website because of that coding mistake. ??

• This reply was modified 7 years, 11 months ago by AITpro.

Thank you everyone for the feedback. I have just updated PHPMailer to the latest version in the plugin. So it should be fixed now.

@aitpro thanks. your solution is working.

Hi,

PHPMailer should be update to ver.5.2.20.

https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20

5.2.21 ?? https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.21

@munyagu & @digitaltoast, I have just released another update.

Hi,

I don’t have this as a separate plugin, but the hosting company of one of my clients has marked this class-phpmailer.php as vulnerable.

Could it be embedded in a theme or other plugin? Or is it a core function?

So: what to do when it’s not a plugin? Update via Github/FTP?

Thanks,
Monique

AITPro – if looking at the bundled PHPMailer within wp-includes — isn’t that class-pop3.php file vastly different from the similarly named file that ships with PHPMailer? I’m not sure you should be replacing that file. The other two (class-smtp.php and class-phpmailer.php), yes.

Yep, the files are different for WP Core, but not for the plugin that I needed to update. So someone should probably not replace the Core WP files. In any case, the PHPMailer “security vulnerability” does not affect WP in any way. WP Dev sent out an email that they checked everything and WP is not vulnerable to the PHPMailer bug.