PHPMailer Security Vulnerability – Affects WordPress

I hope you enjoyed the Christmas Holidays because we’re right back into software security and vulnerability issues.

This week, we’re looking at PHPMailer 5.2.18 and lower.

LegalHackers released an announcement on Christmas Day that a new vulnerability has been discovered in PHPMailer 5.2.18, and as a result, the WordPress Core software. You can read the LegalHackers announcement here.

What is PHPMailer? Who uses PHPMailer?

PHPMailer is a code library which enables a website to communicate with the mailing system via PHP on a server. Created in 2001, it became a defacto standard with regards to server configurations and script integration.  One of the big advantages of PHPMailer was that it was more secure than CGI Mailer software and through this, it became one of the most popular methods online.

Today, PHPMailer is integrated with popular software such as WordPress, Drupal, Joomla, SugarCRM and much more.  At the end of the day, since so many people use it, it becomes a target for exploiters.

What’s The Extent of the PHPMailer Security Vulnerability?

As of this moment, there is no known exploit in the wild, rather it’s a proof of concept. The potential exploit would make use of Remote Code Execution (RCE). Basically allows a hacker to execute a piece of code on a victim’s website, and then use that to do the dirty work.  Given that this is an exploit of PHPMailer, this will quickly be exploited by Spammers.

WordFence Security released a statement on December 26th regarding the potential exploit and stated that from what they reviewed, a hacker could potentially pass shell scripting code via the Sender Email address field, and from there take control of a server.

What’s Next? How To Fix The PHPMailer Exploit?

Right now, sit back and try not to think about the looming exploit.

The WordPress team are working on a patch, and I’m sure the teams at Drupal and other software are working on their patches too. Once they have a verified patch, they’ll release their update.

If you have WordPress Automatic Updates enabled, then you should be patched without a problem when it’s released. If you don’t have the automated updates enabled, you’ll want to download the WordPress Core update when they release it. Most times, WordPress has patches released within 24 hours, so just sit back and wait.

As a general rule, we advise people to make backups of their websites prior to making any update.  It’s always a good idea to make backups, but with a potential exploit out there, now is a perfect time to make a backup.  For us, not only do we advise making a backup, but we also recommend that people make the updates on a development site prior to making the update on their live site.  This ensures that the general public do not see a broken website should there be a problem in the update.

Finally, Plugins & Themes need updates! Many developers include their own software releases packaged inside a theme or plugin. Sadly, a lot of people on the internet download a plugin but don’t run any updates – or worse, they use plugins that are no longer maintained.  In these cases, you’ll need to manually verify your plugins and code.

This Is Not A WordPress Problem!

Just so we’re 100% clear, the potential exploit is affecting PHPMailer, and not directly WordPress. Many people are quick to throw WordPress under the bus when it comes to security exploits, but it’s imperative to note that this is not WordPress to blame.

This round of problems is directly related to PHPMailer and a section of code that could allow a hacker to take control of it.

Should you have any questions or problems, feel free to reach out to our team. We’ll be monitoring this situation as it evolves and applying updates to client sites as the patch is released.  If you’d like to be on our client management program which performs website backups and software updates, please contact us.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles
No HTTPS No Visitors - Google Cracks Down on Non-SSL Sites

“It’s Here!” SSL-mageddon: Sites Without HTTPS Now Show “Not Secured”

We’ve been warning users about the impending doom regarding their websites and security, and today, Google has started their campaign to notify webmasters too.  HTTPSmageddon, HTTPS-mageddon, SSLmageddon or SSL-mageddon – whatever way you want to say it, the storm has arrived! I’m going to use SSL-mageddon, it just looks nicer! 🙂

WooCommerce 3.5 and WordPress 5.0

WooCommerce? Read This Before WordPress 5.0 Release

If you’ve been keeping up with the new WordPress 5.0 version, scheduled for release on November 19th 2018, you’ll know there are a ton of changes. One massive change is how it integrates with WooCommerce. The integration is a full rewrite of code and if you upgrade WordPress and fail to update WooCommerce ahead of time, you’ll likely end up


Yahoo Hacked – Another Big Data Breach

Hacked websites happen on a regular basis, and it seems as if every couple of weeks we see another news alert about the latest “largest data breach ever” being perpetrated by a group of unknown persons. September 2016 is a month like any other, with various alerts and warnings, however, Yahoo! has just announced a massive data breach of nearly