WordPress.org

Make WordPress Core

Opened 6 months ago

Closed 6 months ago

#45838 closed enhancement (duplicate)

Update PHPMailer to latest 5.2 version

Reported by: ayeshrajans Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: has-patch
Focuses: Cc:

Description

Motivation/Problem

WordPress includes a verbatim copy of PHPMailer as the underline email client. The current version in use is 5.2.22.

All versions prior to 5.2.27 are now considered insecure due to two recent security fixes, namely [CVE-2018-19296](https://nvd.nist.gov/vuln/detail/CVE-2018-19296) and [CVE-2017-11503](https://nvd.nist.gov/vuln/detail/CVE-2017-11503).

CVE-2017-11503 (XSS) does not apply to WordPress because the test files are not present in WordPress. However, the other vulnerability CVE-2018-19296 (Phar RCE) _does_ apply to us if a contributed plugin is not properly sanitizing the attachment URIs. This vulnerability got a fairly big coverage in relevant media, and because there are PoCs already spread, I did not use the HackerOne program because this is not a vulnerability in WordPress itself.

Suggestion solution

Upgrade PHPMailer library to the latest version without breaking backwards compatibility. The latest is 5.2.27, and includes fixes for said vulenrabilities.

git clone git@github.com:PHPMailer/PHPMailer.git --branch 5.2-stable
cd PHPMailer
git diff v5.2.22..v5.2.27 > phpmailer-5-2-27-upgrade.patch

This generated patch can be applied on src/wp-includes/class-phpmailer.php manually with a few hunk changes, but the patch applies successfully. I have applied a patch against WordPress 5.0 branch.

Thank you.

Attachments (1)

45838-phpmailer-5-2-27-upgrade.patch (6.6 KB) - added by ayeshrajans 6 months ago.

Download all attachments as: .zip

Change History (3)

#1 @ayeshrajans
6 months ago

  • Keywords has-patch added

#2 @ocean90
6 months ago

  • Component changed from Mail to External Libraries
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Type changed from defect (bug) to enhancement

Duplicate of #40472.

Note: See TracTickets for help on using tickets.