There is a vulnerability in the PHPMailer library that affects any version before the critical release of
5.2.18. This PHPMailer vulnerability has been publicly disclosed at legalhackers.com.
The PHPMailer library version
5.2.14, a vulnerable version, is included in WordPress 4.7 (the latest version at the time of this writing). In other words, WordPress 4.7 and below have this vulnerability.
WordPress Core Is Not Vulnerable
By default, WordPress core is not vulnerable nor is any plugin properly using
wp_mail(). I am not aware of any plugin that uses
wp_mail() in such a way as to expose the site to a vulnerability. Nevertheless, I look forward to the release of WordPress 4.7.1, which will include the latest version of PHPMailer, which has been updated to eliminate this vulnerability.
The WordPress Security team is aware of the PHPMailer issues. We’ve been in contact with the author and security researchers and discussing the fixes.
Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
A note on plugins: If plugins are correctly utilising wp_mail() they’ll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.
The upcoming 4.7.1 release will contain mitigation for these issues, we’re committed to only shipping secure libraries with WordPress – regardless of whether we use the feature or not.
We don’t have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.