Critical Vulnerability in PHPMailer library found

The hole allows to remotely execute a code in the context of web server and compromize the web application.

Polish security researcher Dawid Golunski from Legal Hackers has found a critical hole in one of the most popular open source code libraries PHPMailer. Using it, a hacker can remotely execute a code in the context of web server and compromize the web application.

A hacker can exploit the hole (CVE-2016-10033) in such website components as feedback forms, registration forms, password recovery forms, and so on, which use a vulnerable version of PHPMailer for e-mails sending. The problem concerns all library versions before 5.2.18.

As he was first who has reported about the security hole, researcher Golunski decided not to disclose details until vulnerable websites are fixed. He said that technical details (including video and PoC code) will have been published soon, so administrators are recommended to install the update as soon as possible.

PHPMailer is one of the most popular open source code libraries designed for e-mails sending. PHPMailer is used at millions of websites and web applications written in PHP, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla.