PHPMailer Bug Leaves Millions of Websites Open to Attack

A critical PHPMailer bug tied to the way websites handle email and feedback forms is leaving millions of websites hosted on popular web-publishing platforms such as WordPress, Drupal and Joomla open to attack.


A critical PHPMailer bug tied to the way websites handle email and feedback forms is leaving millions of websites hosted on popular web-publishing platforms such as WordPress, Drupal and Joomla open to attack.

The flaw was disclosed by researcher Dawid Golunski of Legal Hackers, who said the vulnerability could be used by an unauthenticated remote attackers to achieve remote arbitrary code execution in the context of a web server and could be used to remotely compromise targeted web applications.

The vulnerability (CVE-2016-10033) is related to the way websites handle web-based email submission forms using the PHPMailer component. PHP is an (Hypertext Preprocessor) open-source scripting language embedded into website HTML. PHPMailer is a popular component used by an estimated 9 million sites for handing tasks such as email submission and registration forms. According to Golunski all version of PHPMailer released before version 5.2.18 are affected.

“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class,” writes Golunski in a technical breakdown of the flaw.

Golunski privately disclosed the bug last week to the authors of PHPMailer. On Saturday a software update (PHPMailer 5.2.18) was made available to fix the vulnerability. However, days later Golunski said a bypass of the patch was was found and has been given a new CVE assignment (CVE-2016-10045).

“There is no public patch at the moment. All PHPMailer versions are vulnerable again. Back to square one,” Golunski wrote Wednesday in a brief statement to Threatpost. He said a software fix is expected Wednesday.

A limited technical alert on the flaw was first published Sunday. A proof of concept of the vulnerability has since been published by Golunski.

WordPress and Drupal have both issued warnings regarding PHPMailer. Drupal described it as a “highly critical” vulnerability and issued the warning: “In general the Drupal project does not create advisories for 3rd party libraries… However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers.”

Additional web-publishing platforms 1CRM, SugarCRM and Yii are also impacted.

Golunski says he has developed a working Remote Code Execution proof of concept exploit regarding this vulnerability. The flaw, he said, has to do with the way the PHPMailer script allows unverified sender email addresses to be used. This allows an attacker to inject arbitrary options into the Sendmail command line within the context of PHPMailer.

Golunski says the Sendemail validation is done using the RFC 3696 specification that in some circumstances allows hackers to add quotes and characters within an email address. When unverified, those quotes and characters can be interpreted as command line arguments that create the remote code execution vulnerability in PHPMailer.

Golunski says a more complete description of the attack vectors and exploits will be disclosed at a later date, allowing more time for patching by impacted websites and platforms.

This story was updated 12/28 at 9:30 a.m. ET to reflect the fact a bypass for the patch that fixed the PHPMailer bug has been found and that impacted parties will need to apply the upcoming software update once it becomes available. 

Suggested articles


  • Anonymous on

    Patch for CVE-2016-10033 has been bypassed.
  • Hackerlab on

    PhpMailer v5.2.19 is also vulnerable. A patch was not effective
  • ab on

    Though i think there is much hype: 1) If the attacker can control the "From" there is already a problem in your site. 2) If the From format is not verified, then you have a second problem in your site. 3) The researcher PoC uses -X which is not part of postfix sendmail, this is from the default (still default nowadays?) sendmail util. Am i wrong?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.