PHPMailer is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to PHPMailer 5.2.20 are vulnerable.
Note : This issue is the result of an incomplete fix for the CVE-2016-10033 described in BID 95108 (PHPMailer CVE-2016-10033 Remote Code Execution Vulnerability).
Information
WordPress WordPress 4.5.2
WordPress WordPress 4.5.1
WordPress WordPress 4.5
WordPress WordPress 4.4.1
WordPress WordPress 4.4
WordPress WordPress 4.2.4
WordPress WordPress 4.2.3
WordPress WordPress 4.2.2
WordPress WordPress 4.2.1
WordPress WordPress 4.1.2
WordPress WordPress 4.1.1
WordPress WordPress 4.1
WordPress WordPress 3.9.2
WordPress WordPress 3.9.1
WordPress WordPress 3.8.2
WordPress WordPress 3.8.1
WordPress WordPress 3.7.4
WordPress WordPress 3.7.1
WordPress WordPress 3.6.1
WordPress WordPress 3.5.2
WordPress WordPress 3.5.1
WordPress WordPress 3.3.2
WordPress WordPress 3.2.2
WordPress WordPress 3.1.4
WordPress WordPress 3.1.3
WordPress WordPress 3.1.2
WordPress WordPress 3.1.1
WordPress WordPress 3.0.5
WordPress WordPress 3.0.4
WordPress WordPress 3.0.3
WordPress WordPress 3.0.2
WordPress WordPress 2.9.2
WordPress WordPress 2.9.1
WordPress WordPress 2.8.6
WordPress WordPress 2.8.5
WordPress WordPress 2.8.4
WordPress WordPress 2.8.3
WordPress WordPress 2.8.2
WordPress WordPress 2.8.1
WordPress WordPress 2.6.5
WordPress WordPress 2.6.2
WordPress WordPress 2.6.1
WordPress WordPress 2.5.1
WordPress WordPress 2.3.3
WordPress WordPress 2.3.2
WordPress WordPress 2.3.1
WordPress WordPress 2.2.3
WordPress WordPress 2.2.2
WordPress WordPress 2.2.1
WordPress WordPress 2.1.3
WordPress WordPress 2.1.2
WordPress WordPress 2.1.1
WordPress WordPress 2.0.11
WordPress WordPress 2.0.10
WordPress WordPress 2.0.7
WordPress WordPress 2.0.6
WordPress WordPress 2.0.5
WordPress WordPress 2.0.4
WordPress WordPress 2.0.3
WordPress WordPress 2.0.2
WordPress WordPress 2.0.1
WordPress WordPress 2.0
WordPress WordPress 1.5.2
WordPress WordPress 1.5.1 .3
WordPress WordPress 1.5.1 .2
WordPress WordPress 1.5.1
WordPress WordPress 1.5
WordPress WordPress 1.3.1
WordPress WordPress 1.2.2
WordPress WordPress 1.2.1
WordPress WordPress 1.2
WordPress WordPress 0.71
WordPress WordPress 0.6.2
WordPress WordPress 4.7
WordPress WordPress 4.6
WordPress WordPress 4.5.3
WordPress WordPress 4.4.2
WordPress WordPress 4.3.1
WordPress WordPress 4.3
WordPress WordPress 4.2
WordPress WordPress 4.0.1
WordPress WordPress 3.9.3
WordPress WordPress 3.9
WordPress WordPress 3.8.5
WordPress WordPress 3.8.4
WordPress WordPress 3.8.3
WordPress WordPress 3.8
WordPress WordPress 3.7.5
WordPress WordPress 3.7
WordPress WordPress 3.6
WordPress WordPress 3.5.0
WordPress WordPress 3.4.2
WordPress WordPress 3.4.1
WordPress WordPress 3.4
WordPress WordPress 3.3.3
WordPress WordPress 3.3.1
WordPress WordPress 3.3
WordPress WordPress 3.2.1
WordPress WordPress 3.2
WordPress WordPress 3.1
WordPress WordPress 3.0.6
WordPress WordPress 3.0.1
WordPress WordPress 2.9.1.1
WordPress WordPress 2.9
WordPress WordPress 2.8.5.2
WordPress WordPress 2.8.5.1
WordPress WordPress 2.8
WordPress WordPress 2.7.1
WordPress WordPress 2.7
WordPress WordPress 2.6.3
WordPress WordPress 2.6
WordPress WordPress 2.5
WordPress WordPress 2.3
WordPress WordPress 2.2.0
WordPress WordPress 2.2
WordPress WordPress 2.1
WordPress WordPress 2.0.9
WordPress WordPress 2.0.8
WordPress WordPress 1.6.2
WordPress WordPress 1.6
WordPress WordPress 1.5.1.1
WordPress WordPress 1.5
WordPress WordPress 1.4
WordPress WordPress 1.3.3
WordPress WordPress 1.3.2
WordPress WordPress 1.3
WordPress WordPress 1.2.5
WordPress WordPress 1.2.4
WordPress WordPress 1.2.3
WordPress WordPress 1.1.1
WordPress WordPress 0.72
WordPress WordPress 0.711
WordPress WordPress 0.71
WordPress WordPress 0.7
WordPress WordPress 0.6.2.1
Typo3 AH Sendmail 2.0
PHPMailer PHPMailer 5.2.19
PHPMailer PHPMailer 5.2.18
PHPMailer PHPMailer 5.2.14
PHPMailer PHPMailer 5.2.13
PHPMailer PHPMailer 1.7.3
PHPMailer PHPMailer 1.7.2
PHPMailer PHPMailer 1.7.1
PHPMailer PHPMailer 1.7
PHPMailer PHPMailer 1.73
Moodle Moodle 3.1.3
Moodle Moodle 3.1.2
Moodle Moodle 3.1.1
Moodle Moodle 3.0.7
Moodle Moodle 3.0.6
Moodle Moodle 3.0.5
Moodle Moodle 3.0.4
Moodle Moodle 3.0.3
Moodle Moodle 3.0.2
Moodle Moodle 3.0.1
Moodle Moodle 2.9.9
Moodle Moodle 2.9.8
Moodle Moodle 2.9.7
Moodle Moodle 2.9.6
Moodle Moodle 2.9.5
Moodle Moodle 2.9.4
Moodle Moodle 2.9.3
Moodle Moodle 2.9.1
Moodle Moodle 2.8.12
Moodle Moodle 2.8.11
Moodle Moodle 2.8.10
Moodle Moodle 2.8.9
Moodle Moodle 2.8.7
Moodle Moodle 2.8.6
Moodle Moodle 2.8.5
Moodle Moodle 2.8.4
Moodle Moodle 2.8.3
Moodle Moodle 2.7.17
Moodle Moodle 2.7.16
Moodle Moodle 2.7.15
Moodle Moodle 2.7.14
Moodle Moodle 2.7.13
Moodle Moodle 2.7.12
Moodle Moodle 2.7.11
Moodle Moodle 2.7.10
Moodle Moodle 2.7.9
Moodle Moodle 2.7.8
Moodle Moodle 2.7.7
Moodle Moodle 2.7.6
Moodle Moodle 2.7.5
Moodle Moodle 2.7.3
Moodle Moodle 2.7.2
Moodle Moodle 2.6.11
Moodle Moodle 2.6.10
Moodle Moodle 2.6.9
Moodle Moodle 2.6.8
Moodle Moodle 2.6.6
Moodle Moodle 2.6.5
Moodle Moodle 2.6.3
Moodle Moodle 2.6.2
Moodle Moodle 2.6.1
Moodle Moodle 2.5.9
Moodle Moodle 2.5.8
Moodle Moodle 2.5.6
Moodle Moodle 2.5.4
Moodle Moodle 2.5.2
Moodle Moodle 2.5.1
Moodle Moodle 2.4.10
Moodle Moodle 2.4.8
Moodle Moodle 2.4.6
Moodle Moodle 2.4.5
Moodle Moodle 2.4.4
Moodle Moodle 2.4.3
Moodle Moodle 2.3.11
Moodle Moodle 2.3.9
Moodle Moodle 2.3.8
Moodle Moodle 2.3.7
Moodle Moodle 2.3.6
Moodle Moodle 2.3.3
Moodle Moodle 2.3.2
Moodle Moodle 2.3.1
Moodle Moodle 2.2.11
Moodle Moodle 2.2.10
Moodle Moodle 2.2.9
Moodle Moodle 2.2.6
Moodle Moodle 2.2.5
Moodle Moodle 2.2.4
Moodle Moodle 2.2.3
Moodle Moodle 2.2.2
Moodle Moodle 2.2.1
Moodle Moodle 2.1.9
Moodle Moodle 2.1.8
Moodle Moodle 2.1.7
Moodle Moodle 2.1.6
Moodle Moodle 2.1.5
Moodle Moodle 2.1.4
Moodle Moodle 2.1.2
Moodle Moodle 2.1.1
Moodle Moodle 2.0.10
Moodle Moodle 2.0.9
Moodle Moodle 2.0.8
Moodle Moodle 2.0.7
Moodle Moodle 2.0.5
Moodle Moodle 2.0.4
Moodle Moodle 2.0.3
Moodle Moodle 2.0.2
Moodle Moodle 2.0.1
Moodle Moodle 1.9.18
Moodle Moodle 1.9.17
Moodle Moodle 1.9.16
Moodle Moodle 1.9.14
Moodle Moodle 1.9.13
Moodle Moodle 1.9.12
Moodle Moodle 1.9.11
Moodle moodle 1.9.10
Moodle moodle 1.9.9
Moodle moodle 1.9.8
Moodle moodle 1.9.7
Moodle moodle 1.9.6
Moodle Moodle 1.9.5
Moodle moodle 1.9.4
Moodle moodle 1.9.3
Moodle moodle 1.9.2
Moodle Moodle 1.9.1
Moodle moodle 1.8.14
Moodle moodle 1.8.13
Moodle moodle 1.8.11
Moodle moodle 1.8.10
Moodle moodle 1.8.9
Moodle moodle 1.8.8
Moodle moodle 1.8.7
Moodle moodle 1.8.6
Moodle moodle 1.8.5
Moodle moodle 1.8.4
Moodle moodle 1.8.3
Moodle moodle 1.8.2
Moodle Moodle 1.8.1
Moodle moodle 1.7.7
Moodle moodle 1.7.6
Moodle moodle 1.7.5
Moodle moodle 1.7.4
Moodle moodle 1.7.3
Moodle moodle 1.7.2
Moodle moodle 1.7.1
Moodle moodle 1.6.9
Moodle moodle 1.6.8
Moodle moodle 1.6.7
Moodle moodle 1.6.6
Moodle moodle 1.6.5
Moodle moodle 1.6.4
Moodle moodle 1.6.3
Moodle moodle 1.6.2
Moodle moodle 1.6.1
Moodle moodle 1.5.2
Moodle moodle 1.5.1
Moodle moodle 1.5
Moodle moodle 1.4.3
Moodle moodle 1.4.2
Moodle moodle 1.4.1
Moodle moodle 1.3.4
Moodle moodle 1.3.3
Moodle moodle 1.3.2
Moodle moodle 1.3.1
Moodle moodle 1.3
Moodle Moodle 1.2.2
Moodle moodle 1.2.1
Moodle moodle 1.1.1
Moodle Moodle 3.2
Moodle Moodle 3.1
Moodle Moodle 3.0
Moodle Moodle 2.9.2
Moodle Moodle 2.9
Moodle Moodle 2.8.8
Moodle Moodle 2.8.2
Moodle Moodle 2.8.1
Moodle Moodle 2.8
Moodle Moodle 2.7.4
Moodle Moodle 2.7.1
Moodle Moodle 2.7
Moodle Moodle 2.6.7
Moodle Moodle 2.6.4
Moodle Moodle 2.6
Moodle Moodle 2.5.7
Moodle Moodle 2.5.5
Moodle Moodle 2.5.3
Moodle Moodle 2.5
Moodle Moodle 2.4.9
Moodle Moodle 2.4.7
Moodle Moodle 2.4.2
Moodle Moodle 2.4.11
Moodle Moodle 2.4.1
Moodle Moodle 2.4
Moodle Moodle 2.3.5
Moodle Moodle 2.3.4
Moodle Moodle 2.3.10
Moodle Moodle 2.3
Moodle Moodle 2.2.8
Moodle Moodle 2.2.7
Moodle Moodle 2.2
Moodle Moodle 2.1.3
Moodle Moodle 2.1.10
Moodle Moodle 2.1
Moodle Moodle 2.0.6
Moodle Moodle 2.0
Moodle Moodle 1.9.20
Moodle Moodle 1.9.19
Moodle Moodle 1.9.15
Moodle moodle 1.9
Moodle Moodle 1.8
Moodle moodle 1.7
Moodle Moodle 1.6
Moodle Moodle 1.5
Moodle Moodle 1.4.5
Moodle Moodle 1.4.4
Moodle moodle 1.18.2.3
Moodle moodle 1.18.2.2
Joomla Joomla! 3.6.5
Joomla Joomla! 3.4.7
Joomla Joomla! 3.4.6
Joomla Joomla! 3.4.4
Joomla Joomla! 3.4.3
Joomla Joomla! 3.4.2
Joomla Joomla! 3.4.1
Joomla Joomla! 3.4
Joomla Joomla! 3.3.6
Joomla Joomla! 3.3.5
Joomla Joomla! 3.3.4
Joomla Joomla! 3.3.3
Joomla Joomla! 3.3.2
Joomla Joomla! 3.3.1
Joomla Joomla! 3.3
Joomla Joomla! 3.2.6
Joomla Joomla! 3.2.5
Joomla Joomla! 3.2.4
Joomla Joomla! 3.2.3
Joomla Joomla! 3.2.2
Joomla Joomla! 3.2.1
Joomla Joomla! 3.1.6
Joomla Joomla! 3.1.5
Joomla Joomla! 3.1.4
Joomla Joomla! 3.1.1
Joomla Joomla! 3.1
Joomla Joomla! 3.0.4
Joomla Joomla! 3.0.3
Joomla Joomla! 3.0.1
Joomla Joomla! 3.0
Joomla Joomla! 2.5.26
Joomla Joomla! 2.5.25
Joomla Joomla! 2.5.24
Joomla Joomla! 2.5.19
Joomla Joomla! 2.5.18
Joomla Joomla! 2.5.17
Joomla Joomla! 2.5.16
Joomla Joomla! 2.5.15
Joomla Joomla! 2.5.14
Joomla Joomla! 2.5.13
Joomla Joomla! 2.5.11
Joomla Joomla! 2.5.10
Joomla Joomla! 2.5.9
Joomla Joomla! 2.5.8
Joomla Joomla! 2.5.7
Joomla Joomla! 2.5.6
Joomla Joomla! 2.5.5
Joomla Joomla! 2.5.4
Joomla Joomla! 2.5.3
Joomla Joomla! 2.5.2
Joomla Joomla! 2.5.1
Joomla Joomla! 2.5
Joomla Joomla! 1.7.5
Joomla Joomla! 1.7.4
Joomla Joomla! 1.7.3
Joomla Joomla! 1.7.2
Joomla Joomla! 1.7.1
Joomla Joomla! 1.7
Joomla Joomla! 1.6.6
Joomla Joomla! 1.6.4
Joomla Joomla! 1.6.3
Joomla Joomla! 1.6.2
Joomla Joomla! 1.6.1
Joomla Joomla! 1.6
Joomla Joomla! 1.5.26
Joomla Joomla! 1.5.22
Joomla Joomla! 1.5.21
Joomla Joomla! 1.5.20
Joomla Joomla! 1.5.19
Joomla Joomla! 1.5.18
Joomla Joomla! 1.5.17
Joomla Joomla! 1.5.16
Joomla Joomla! 1.5.15
Joomla Joomla! 1.5.14
Joomla Joomla! 1.5.13
Joomla Joomla! 1.5.12
Joomla Joomla! 1.5.11
Joomla Joomla! 1.5.10
Joomla Joomla! 1.5.9
Joomla Joomla! 1.5.8
Joomla Joomla! 1.5.7
Joomla Joomla! 1.5.6
Joomla Joomla! 1.5.5
Joomla Joomla! 1.5.4
Joomla Joomla! 1.5.2
Joomla Joomla! 3.6.4
Joomla Joomla! 3.6.3
Joomla Joomla! 3.6.1
Joomla Joomla! 3.6.0
Joomla Joomla! 3.4.5
Joomla Joomla! 3.2
Joomla Joomla! 2.5
Joomla Joomla! 1.7
Joomla Joomla! 1.6.5
Joomla Joomla! 1.5.3
Joomla Joomla! 1.5.23
Joomla Joomla! 1.5.1
Joomla Joomla! 1.5.0
Drupal Mailjet 7.x-2.8
Drupal Mailjet 7.x-2.0
Drupal Drupal 8.2.3
Drupal Drupal 8.2.2
Drupal Drupal 8.2.1
Drupal Drupal 8.2
Drupal Drupal 8.1.10
Drupal Drupal 8.1.9
Drupal Drupal 8.1.8
Drupal Drupal 8.0.4
Drupal Drupal 8.0.3
Drupal Drupal 8.0.2
Drupal Drupal 8.0.1
Drupal Drupal 8.1.7
Drupal Drupal 8.1.6
Drupal Drupal 8.1.5
Drupal Drupal 8.1.4
Drupal Drupal 8.1.3
Drupal Drupal 8.1.0
Drupal Drupal 8.0
Drupal Drupal 7.9
Drupal Drupal 7.8
Drupal Drupal 7.6
Drupal Drupal 7.52
Drupal Drupal 7.5
Drupal Drupal 7.44
Drupal Drupal 7.43
Drupal Drupal 7.42
Drupal Drupal 7.41
Drupal Drupal 7.40
Drupal Drupal 7.4
Drupal Drupal 7.39
Drupal Drupal 7.38
Drupal Drupal 7.37
Drupal Drupal 7.36
Drupal Drupal 7.35
Drupal Drupal 7.34
Drupal Drupal 7.33
Drupal Drupal 7.32
Drupal Drupal 7.31
Drupal Drupal 7.30
Drupal Drupal 7.3
Drupal Drupal 7.29
Drupal Drupal 7.28
Drupal Drupal 7.27
Drupal Drupal 7.26
Drupal Drupal 7.25
Drupal Drupal 7.24
Drupal Drupal 7.23
Drupal Drupal 7.22
Drupal Drupal 7.21
Drupal Drupal 7.20
Drupal Drupal 7.2
Drupal Drupal 7.19
Drupal Drupal 7.18
Drupal Drupal 7.17
Drupal Drupal 7.16
Drupal Drupal 7.15
Drupal Drupal 7.14
Drupal Drupal 7.13
Drupal Drupal 7.12
Drupal Drupal 7.11
Drupal Drupal 7.10
Drupal Drupal 7.1
Drupal Drupal 7.0
BEA Systems Weblogic Proxy Plugin 1.5.3
PHPMailer PHPMailer 5.2.20
Moodle Moodle 3.1.4
Moodle Moodle 3.0.8
Moodle Moodle 2.7.18
Moodle Moodle 3.2.1
Drupal Mailjet 7.x-2.9
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information
References:
- PHPMailer (legalhackers.com)
- PHPMailer Home Page (PHPMailer)
- PHPMailer/PHPMailer (PHPMailer)
- Security Announcements (joomla)
- Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005 (Drupal)
- MSA-17-0003: PHPMailer vulnerability in no-reply address (Moodle)
- PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004 (Drupal)
- TYPO3-EXT-SA-2017-005: Remote Code Execution in extension "AH Sendmail" (ah_send (TYPO3)
- WordPress 4.7.1 Security and Maintenance Release (WordPress)