A critical vulnerability has been discovered in PHPMailer, which is one of the most popular open source PHP libraries to send emails used by more than 9 Million users worldwide.
Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users.
Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.
The adviser is planning on releasing proof of concept, and a video demonstrating it. Thank goodness for them informing everyone before releasing the information. Please make sure to check your PHP sites to ensure they have been updated to cover this exploit.
This is one of the reasons that we advise people to check your sites regular as you never know what bugs might pop up. In the past when we have had people contact us about a site problem it was almost always due to a site that hadn’t been maintained and was using an outdated software version.