A critical vulnerability has been discovered in PHPMailer, one of the most widely used open source PHP libraries sending emails from websites used by more than 9 Million users worldwide. 

Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users from their website.

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows attackers to execute arbitrary code from a remote location in the context of the web server and compromise the target web site.

[Tweet “PHPMailer 5.2.18 Remote Code Execution “]”To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class,” Golunski writes in the advisory published today.

Golunski responsibly reported the vulnerability to the developers, who have patched the vulnerability in their new release, PHPMailer 5.2.18.

All versions of PHPMailer before the release of PHPMailer 5.2.18 are affected, so website administrators and developers are strongly advised to update to the patched release.

[thrive_optin color=”dark” text=”Stay Updated” optin=”298″ size=”medium” layout=”horizontal”]

Since That Tech Guy is making this public disclosure of the vulnerability, following Golunski’s advisory that this millions of websites remain unpatched, the researcher has suppressed further details about the flaw.

However, Golunski has promised to release more technical details about the vulnerability in coming days, including a proof-of-concept exploit code and video demonstration that will show the attack in action.
We will be updating this article with additional resources regarding the PHPMailer vulnerability, exploit code, once the researcher makes it public.