• Skip to primary navigation
  • Skip to main content
Sal Ferrarello
  • About Sal Ferrarello
  • Speaking
  • Connect
    Mastodon GitHub Twitter (inactive)
You are here: Home / Solution / WordPress PHPMailer Vulnerability
PHPMailer Logo with Bug
Speaking: Sal is one of the speakers at WordCamp Montclair on June 24, 2023 and tickets are only $25!

WordPress PHPMailer Vulnerability

Last updated on January 3, 2017 by Sal Ferrarello

There is a vulnerability in the PHPMailer library that affects any version before the critical release of 5.2.18. This PHPMailer vulnerability has been publicly disclosed at legalhackers.com.

The PHPMailer library version 5.2.14, a vulnerable version, is included in WordPress 4.7 (the latest version at the time of this writing). In other words, WordPress 4.7 and below have this vulnerability.

WordPress Core Is Not Vulnerable

By default, WordPress core is not vulnerable nor is any plugin properly using wp_mail(). I am not aware of any plugin that uses wp_mail() in such a way as to expose the site to a vulnerability. Nevertheless, I look forward to the release of WordPress 4.7.1, which will include the latest version of PHPMailer, which has been updated to eliminate this vulnerability.

Dion Hulse, one of the five WordPress Lead Developers, wrote the following in Trac Ticket #37210:

The WordPress Security team is aware of the PHPMailer issues. We’ve been in contact with the author and security researchers and discussing the fixes.

Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail() they’ll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.

The upcoming 4.7.1 release will contain mitigation for these issues, we’re committed to only shipping secure libraries with WordPress – regardless of whether we use the feature or not.
We don’t have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.

Photo Credit

Pixabay modified

Sal Ferrarello
Sal Ferrarello (@salcode)
Sal is a PHP developer with a focus on the WordPress platform. He is a conference speaker with a background including Piano Player, Radio DJ, Magician/Juggler, Beach Photographer, and High School Math Teacher. Sal can be found professionally at WebDevStudios, where he works as a senior backend engineer.

Share this post:

Share on TwitterShare on FacebookShare on LinkedInShare on EmailShare on Reddit

Filed Under: Computing, Programming, Solution Tagged With: WordPress

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 · Bootstrap4 Genesis on Genesis Framework · WordPress · Log in