Just a few days ago, a new, critical exploit was discovered, and WordPress is among those platforms affected. A researcher published a paper on the vulnerability in the third-party PHPMailer library that’s used by WordPress and many other content management systems. The core WordPress development team has acknowledged the issue and are moving forward with a fix.
UPDATE 1/6/2017: After a bug scrub yesterday in the #core channel, it appears that WordPress 4.7.1 is on track for release on Wednesday, 1/11/2017. A fix for the PHPMailer RCE vulnerability is included. There are also more than 50 additional patches that resolve a variety of small issues contained in version 4.7’s initial release. You can read the full release notes here.
The Problem
The original researcher, Dawid Golunski, disclosed the vulnerability on LegalHackers.com early on Christmas Day after notifying PHPMailer of the issue. Specifically, PHPMailer versions 5.2.17 and earlier are susceptible to Remote Code Execution(RCE) by an attacker.
Worse yet, the path for the RCE is simply having the parent application send an email. You can probably guess that this includes actions like submitting a contact form, commenting, placing and order, and other common processes of a WordPress site.
The Fix
PHPMailer initially released patched versions, but those were thwarted by a 0-day bypass from Mr. Golunski.1https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html Finally, version 5.2.21 released on 12/28/2016 seems to by permanently patched from this particular vulnerability.
While WordPress core doesn’t rely on PHPMailer for the wp_mail
function, the class is included in the distribution. Also, plugin developers may be doing things differently, so the core development team is working on methods to mitigate the risks of this security hole in the upcoming 4.7.1 release.
Next Steps
WordPress has already committed a patch for this, so a new, minor WordPress release is coming in the next few days. If you have automatic updates enabled or your site is managed by someone else,2I perform these sort of tasks and keep up with this stuff 24/7. If you’re interested, apply for one of my monthly WordPress “Care” Service Plans. you’ll be covered when the time comes. If, however, you’re handling updates yourself, be on the lookout for an update notice in your dashboard soon.
References
1 | https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html |
---|---|
2 | I perform these sort of tasks and keep up with this stuff 24/7. If you’re interested, apply for one of my monthly WordPress “Care” Service Plans. |