A security researcher has discovered a critical vulnerability in the PHPMailer that might affect millions of websites users making them vulnerable to remote exploit.
It is being estimated that more than 9 Million users worldwide are affected by this vulnerability named as CVE-2016-10033, which affects PHPMailer. It is one of the most popular open source PHP libraries used to send emails.
There are millions of websites who uses PHP and popular CMS, including WordPress, Drupal, and Joomla which currently use the PHPMailer for sending emails.
The CVE-2016-10033 affects all versions of the library before the PHPMailer 5.2.18 release.
The flaw was discovered by the security researcher Dawid Golunski who works in Legal Hackers. “An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application,” Golunski explained.
“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
The expert has confirmed that he will soon provide the details of the CVE-2016-10033 vulnerability.
Golunski has informed about the flaws to the developers which they promptly fixed the PHPMailer 5.2.18. He also plans to publish an advisory as a proof-of-concept exploit code and video PoC of the attack.
It is being estimated that more than 9 Million users worldwide are affected by this vulnerability named as CVE-2016-10033, which affects PHPMailer. It is one of the most popular open source PHP libraries used to send emails.
There are millions of websites who uses PHP and popular CMS, including WordPress, Drupal, and Joomla which currently use the PHPMailer for sending emails.
The CVE-2016-10033 affects all versions of the library before the PHPMailer 5.2.18 release.
The flaw was discovered by the security researcher Dawid Golunski who works in Legal Hackers. “An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application,” Golunski explained.
“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
The expert has confirmed that he will soon provide the details of the CVE-2016-10033 vulnerability.
Golunski has informed about the flaws to the developers which they promptly fixed the PHPMailer 5.2.18. He also plans to publish an advisory as a proof-of-concept exploit code and video PoC of the attack.
No comments