A critical PHPMailer flaw has been discovered affecting millions of websites and frameworks that use this library for their mailing needs. The vulnerability was discovered by Polish security researcher Dawid Golunski of Legal A computer hacker in its pure form is a highly skilled computer programmer. In pop-culture, a security hacker is a skilled computer expert who uses their skills to break into computer systems using bugs, exploits, social engineering, and other methods. When the person uses their skills to subvert computer security for malicious purposes, they can also be referred to as... More.
PHPMailer is one of the most popular an open source class libraries written in PHP that is used to send out emails. It is used by over nine million websites and popular web Application software or app is a program or group of programs designed to run on computing devices which perform a group of functions, tasks, or activities for the end-user. These programs usually consist of system software and application software. System software interacts with computers at a basic level performing low-level. Application software resides above system software directly interacting with the... More and frameworks which includes WordPress, Joomla, Drupal, Yii, SugarCRM and 1CRM among others.
Details of the Critical PHPMailer Flaw
The PHPMailer flaw in the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web A server is a computer application program that responds to requests for information from a client in a client/server relationship system. A typical example is a web server or pushing a web page to a web browser or a web server receiving email and transferring it to an email client. A server can also refer to the actual hardware designed... More and compromise the target web application.
“The attack could hit components with contact forms, registration forms, password email resets and other forms that send out emails with the help of a vulnerable version of the PHPMailer class,” Golunski said.
All versions prior to PHPMailer 5.2.18 released on December 25th are vulnerable therefore web administrators and developers are strongly recommended to update to the patched release. The release can be downloaded from the official source repository here.