PHPMailer Vulnerability and WordPress

There’s lots of panic around the holidays regarding CVE-2016-10033 – a critical vulnerability in the PHPMailer library, which allows an attacker to inject custom command-line commands and have the webserver execute them (RCE – remote code execution). WordPress uses PHPMailer, yet there hasn’t been an update yet (see trac ticket #37210), the ticket hasn’t been marked as critical either (at the time of writing).

The exploit requires several conditions to be met. Firstly, PHPMailer has to be configured to use sendmail or mail (the latter is default in WordPress). Secondly, the From parameter has to be set from external sources – request parameters, untrusted user-controllable options and other untrusted input (not possible in vanilla WordPress setups).

So here’s a quick note on why you should not panic if you’re running WordPress with a vulnerable PHPMailer library in the core, and how to check why you should.

You should not panic if you are sure that you are using an SMTP gateway (via one of the dozens of SMTP plugins for WordPress out there), including local SMTP (i.e. PHPMailer is in SMTP mode), and there isn’t even a sendmail binary installed on the system.

You should be concerned and dig deeper if your wp-content directory has code that contains:

  • “->setFrom” or “->From”,
  • “->Sender”,
  • “wp_mail_from” or “wp_mail_from_name” (woocommerce sets it from the “woocommerce_email_from_address” option),
  • any other variations where you’re accepting user input (e-mail) and setting it as the sender (doh!)

Pressjitsu clients have been automatically scanned for the PHPMailer vulnerability with no vulnerable setups found, but if you have cause for concern please contact our support department.

Stay safe.