Developers close vulnerability in PHPMailer

Older versions of the popular PHP script for automatically sending mail, PHPMailer, have been found to contain a vulnerability that could allow an attacker to execute code remotely. In the latest version, the developers have solved the problem.

To exploit the PHPMailer vulnerability labeled CVE-2016-10033, an attacker only needs to make the web application send a mail through the vulnerable PHPMailer class, for example via contact, feedback and registration forms or resetting email passwords. The attacker can then execute code remotely as a web server user. That describes the Polish security researcher Dawid Golunski of Legal Hackers, who also developed an exploit. He will announce the exact details at a later date to give administrators time to update the code.

The developers of PHPMailer are urging all users to update their version to version 5.2.18. The problem has been resolved with this current version. PHPMailer is one of the most widely used PHP libraries and is used in WordPress, Joomla, Drupal, SugarCRM and Mantis, among others. According to BleepingComputer, exploit code developed by third parties has also appeared online.