Millions of Websites Affected by Critical PHPMailer Flaw

Critical PHPMailer Flaw

A critical PHPMailer flaw has been discovered affecting millions of websites and frameworks that use this library for their mailing needs. The vulnerability was discovered by Polish security researcher Dawid Golunski of Legal Hackers.

PHPMailer is one of the most popular an open source class libraries written in PHP that is used to send out emails. It is used by over nine million websites and popular web applications and frameworks which includes WordPress, Joomla, Drupal, Yii, SugarCRM and 1CRM among others.

Read Also  OpenCL 2.2 With SPIR-V 1.2 now Available for Download

Details of the Critical PHPMailer Flaw

The PHPMailer flaw in the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

“The attack could hit components with contact forms, registration forms, password email resets and other forms that send out emails with the help of a vulnerable version of the PHPMailer class,” Golunski said.

All versions prior to PHPMailer 5.2.18 released on December 25th are vulnerable therefore web administrators and developers are strongly recommended to update to the patched release. The release can be downloaded from the official source repository here.