Opened 6 years ago
Closed 6 years ago
#45838 closed enhancement (duplicate)
Update PHPMailer to latest 5.2 version
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | External Libraries | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Motivation/Problem
WordPress includes a verbatim copy of PHPMailer as the underline email client. The current version in use is 5.2.22.
All versions prior to 5.2.27 are now considered insecure due to two recent security fixes, namely [CVE-2018-19296](https://nvd.nist.gov/vuln/detail/CVE-2018-19296) and [CVE-2017-11503](https://nvd.nist.gov/vuln/detail/CVE-2017-11503).
CVE-2017-11503 (XSS) does not apply to WordPress because the test files are not present in WordPress. However, the other vulnerability CVE-2018-19296 (Phar RCE) _does_ apply to us if a contributed plugin is not properly sanitizing the attachment URIs. This vulnerability got a fairly big coverage in relevant media, and because there are PoCs already spread, I did not use the HackerOne program because this is not a vulnerability in WordPress itself.
Suggestion solution
Upgrade PHPMailer library to the latest version without breaking backwards compatibility. The latest is 5.2.27, and includes fixes for said vulenrabilities.
git clone git@github.com:PHPMailer/PHPMailer.git --branch 5.2-stable cd PHPMailer git diff v5.2.22..v5.2.27 > phpmailer-5-2-27-upgrade.patch
This generated patch can be applied on src/wp-includes/class-phpmailer.php manually with a few hunk changes, but the patch applies successfully. I have applied a patch against WordPress 5.0 branch.
Thank you.
Duplicate of #40472.