WordPress.org

Make WordPress Core

Opened 7 months ago

Last modified 12 days ago

#40472 new enhancement

Update PHPMailer to 5.2.25

Reported by: MattyRob Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 4.8
Component: External Libraries Keywords: has-patch needs-testing
Focuses: Cc:

Description

There is a minor maintenance release for PHPMailer that we should consider patching to.
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.23

Attachments (4)

40472.diff (6.7 KB) - added by MattyRob 7 months ago.
40472v2.diff (10.2 KB) - added by MattyRob 4 months ago.
40472v3.diff (74.2 KB) - added by MattyRob 3 months ago.
40472v4.diff (338.3 KB) - added by MattyRob 12 days ago.

Download all attachments as: .zip

Change History (16)

@MattyRob
7 months ago

#1 @MattyRob
7 months ago

  • Keywords has-patch needs-testing added
  • Severity changed from normal to minor

#2 @lukecavanagh
7 months ago

40472.diff Patch applies cleanly.

#3 @MattyRob
7 months ago

  • Keywords needs-testing removed

I've tested emails and everything appears functional with the patch and PHP Unit Tests all pass in the mail test suite.

#4 @Presskopp
4 months ago

FYI: 5.2.24 is current (fixing also a security issue, that doesn't affect WordPress, as far as i can tell)

#5 @MattyRob
4 months ago

  • Keywords needs-testing added
  • Summary changed from Update PHPMailer to 5.2.23 to Update PHPMailer to 5.2.24

@MattyRob
4 months ago

#6 @Presskopp
3 months ago

  • Summary changed from Update PHPMailer to 5.2.24 to Update PHPMailer to 5.2.25

Version 5.2.25 (August 28th 2017)

Make obtaining SMTP transaction ID more reliable

Add Bosnian translation

This is the last official release in the legacy PHPMailer 5.2 series; there may be future security patches (which will be found in the 5.2-stable branch), but no further non-security PRs or issues will be accepted.

Migrate to PHPMailer 6.0.

@MattyRob
3 months ago

#7 @netweb
3 months ago

Related: #41750 Update PHPMailer to 6.0

#8 @peopleinside
6 weeks ago

  • Severity changed from minor to normal

Hi,
cirrently I can see mail come out from Wordpress from PHP Mailer 5.2.22 that has security vulnerability.

I AM asking when this will be fixed with update in Wordpress.
Thank you.

I AM using plugin
SMTP Mailer and opened an issue but the plug in athir says that the plugin use Wordpress PHP Mailer so Wordpress PHP Mailer seems to be vulnerable, 5.2.22
https://wordpress.org/support/topic/php-mailer-vulnerability/#post-9563243

On PHP Mailer 5.2.24
SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

#9 follow-up: @bgermann
6 weeks ago

CVE-2017-11503 is not an issue for WordPress, because the example is not included. BUT the potential XSS vulnerability may be an issue. The fix can be seen at https://github.com/PHPMailer/PHPMailer/commit/d46ba2d186.

It does not need much time to integrate the existing (!) patch, but it would take much time to ensure, WordPress is not affected by this. So why not integrate the patch? Please!

#10 in reply to: ↑ 9 @aaroncampbell
4 weeks ago

  • Severity changed from normal to minor

I took a look through our code and it doesn't look like we use the phpmailerException::errorMessage() helper function anywhere, which would mean the reported potential XSS doesn't affect WordPress core.

I'm of the general opinion that keeping our libraries up to date is good, it's just not security related in this case.

As a side note, if it was a valid security issue it should really be reported to https://hackerone.com/wordpress and not discussed publicly here on Trac.

@MattyRob
12 days ago

#12 @MattyRob
12 days ago

  • Severity changed from minor to major

@Presskopp

I believe it may pose a risk but should not cause issues in the default WordPress configuration, patch updated.

Last edited 12 days ago by MattyRob (previous) (diff)
Note: See TracTickets for help on using tickets.