A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski. The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.
Unfortunately someone posted a proof of concept to exploit-db and to github a few hours ago demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.
We are publishing this unscheduled update to give PHP developers and our community advance warning of this issue. We expect this story to continue to evolve rapidly as more developers and malicious actors look at this code.
PHPMailer is used by WordPress core to send email. You can find the code in the wp-includes/class-phpmailer.php core file.
NOTE: There is no known exploit publicly available for WordPress core or any WordPress theme or plugin at this time. The only exploit we have seen is where a researcher has built their own application and then exploited it, demonstrating the existence of this vulnerability in PHPMailer. (Details below)
Please don’t contact the WordPress core team, WordPress forum moderators or anyone else panicking that your WordPress site will be exploited. This research is currently ongoing and we are making you aware of this issue early for two reasons:
- So that you can be ready to upgrade WordPress core and any other affected themes and plugins if you are a user, once a fix is released.
- So that, if you are a developer who has used a vulnerable version of PHPMailer, you can start patching your code and get a release out to your customers.
If you are unfamiliar with RCE vulnerabilities, they are a worst-case-scenario. All of the worst vulnerabilities in the history of WordPress have been remote code execution vulnerabilities. They allow an attacker to execute their own code on a victim website and thereby take control of the website.
We have performed a brief analysis on the affected code in PHPMailer. To exploit this vulnerability, it appears that an attacker would need to be able to control the sender email address.
A snippet of the vulnerable code in PHPMailer and the fixes is shown below.
In the vulnerable version of PHPMailer, the sender email address is passed unescaped to a shell command. An attacker could include shell commands in the sender email that execute malicious code on a target machine or website.
What to do
We’re sending out this email as an early warning for our subscribers and customers. The WordPress core team are currently working on a fix that will be included in a WordPress core security release. There is also no word on timing but it may be as soon as within 24 hours.
Please update to the newest version of WordPress core as soon as it is released.
If you are using PHPMailer older than 5.2.18 in your own PHP applications, themes or plugins, please upgrade to PHPMailer 5.2.18 or newer immediately.
If you are a WordPress theme or plugin developer and have included your own copy of PHPMailer in your plugin or theme code, you need to update to PHPMailer 5.2.18 or newer immediately and release a fix to your customers.
More information and discussion
An issue in WP core was opened about 4 hours ago that included a patch to fix this issue. It updates WP core from using PHPMailer 5.2.14 to 5.2.19. This is just a proposed patch, not the final fix.
You can find the code changes on github showing the changes in PHPMailer to fix this issue. They make it fairly clear the issue is with the sender email address being sent to a shell command unsanitized.
A basic proof of concept exploit has also been posted to exploit-db which links to a more detailed demo of this exploit in action on github. The researcher has built their own web application which is vulnerable to this exploit, and then created an exploit for their own app. This is clearly not a real-world PoC, but it demonstrates the weakness in PHPMailer and paves the way for real-world exploits to emerge.
According to the post by the researcher who found this:
“The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities.”
The issue was posted to Hackaday yesterday and to The Hacker News earlier today.
It is being widely discussed on Twitter.
It is being discussed on WP Slack #forums and #core. [Login required]
Also being discussed on Hacker News.
It was posted to Reddit /r/netsec about 20 hours ago and is being discussed there.
We expect it to hit mainstream press tomorrow as everyone returns to work.
Update Monday Dec 26th at 5:23pm PST: The Drupal team also released a security advisory regarding PHPMailer a few hours ago.
Update Tuesday Dec 27th at 5:34am PST: The researcher has now released full details of this exploit including the specific weakness in PHPMailer that is used to gain remote code execution. They have not yet released the exploit they have for a “popular open source application”.
Update Tuesday Dec 27th at 8:14pm PST: There appear to still be security issues with PHPMailer that need to be fixed, as discussed on the oss-security mailing list.
Update Tuesday Dec 27th at 11:19pm PST: The researcher has now posted a new 0day bypass for PHPMailer v5.2.19 and older. According to the researcher, the 0 day was disclosed because there had been a public discussion on the oss-sec list about a potential bypass that made it public. Disclosing a zero day vulnerability is unusual for an ethical researcher, but in this case it’s excusable because the exploit became public through public discussion. It also helps vendors fix and test their products more effectively. So while this is unusual and potentially controversial, we think it’s an acceptable action in this case.