Make WordPress Core

Opened 21 months ago

Last modified 21 months ago

#54739 new defect (bug)

Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above 5.4)

Reported by: zodiac1978's profile zodiac1978 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: needs-patch dev-feedback
Focuses: Cc:


In WordPress 5.3 the PHP Mailer library was updated to the latest version from the 5.2-branch. See #40472

In WordPress 5.5 the PHP Mailer library was updated to the new version 6. See #41750

As background updates are available from 3.7 on we could update the PHP mailer library down to version 3.7 to protect those installations from being abused for spamming.

I checked and WordPress installations with version smaller than 5.3. These sum up to 24.15 %.

We only can background update from 3.7, so we need to look at WordPress 3.7 to 5.2 which shows us 18,52 % of all installation which are unprotected.

This would at least close two from those three known security problems with this version:

Quoted from

Note that the 5.2 branch is deprecated and will not receive security updates after 31st December 2018.

The same goes for WP 5.5 to 5.8
-> WordPress 5.5 (PHP Mailer 6.1.6)
-> WordPress 5.6 (PHP Mailer 6.2)
-> WordPress 5.7 (PHP Mailer 6.3)
-> WordPress 5.7.2 (PHP Mailer 6.4)
-> WordPress 5.7.3 (PHP Mailer 6.5.0)

WordPress 5.9 will contain PHP Mailer 6.5.3 as the latest version.

As version 6.4.1 and 6.5 are security releases this could be relevant too:

Although this is related to security it seems that the other tickets about updating this library are handled in public so I created this one here too.

Change History (6)

This ticket was mentioned in Slack in #core by zodiac1978. View the logs.

21 months ago

#2 @jrf
21 months ago

@zodiac1978 Please check what has been backported already. In the case of older WP versions, the version of PHPMailer shipped with it will generally not be updated anymore, but individually security patches will be (and have been) backported.

So, while the version number of the PHPMailer package shipped with those older WP versions may give the impression it is not a secure version, the actual code shipped is often the official version + backported security patches.

#3 @zodiac1978
21 months ago

Thanks @jrf and @peterwilsoncc for the info about the existing backports.

Looks like CVE-2018-19296 is already fixed and backported.

CVE-2017-11503 is about bad example code which is not bundled in WP, I think.

But CVE-2021-34551 and CVE-2021-3603 are unfixed. I've checked the 4.4 branch as this is the version on a website where I found this issue. At least, I think it is unfixed, as the WP code does not match the fix from the PHPMailer repo. Maybe this is handled different in WP, or it is unfixed.

They have a high risk classification and allow remote code execution.

Because these are fixed in 6.5+ but the 5.2-branch was EOL this seemed to have slipped through.

Update: The fix came with 6.5, so can be seen here: #53430 (The problem is, that the 5.2 branch has this problem too)

Last edited 21 months ago by zodiac1978 (previous) (diff)

This ticket was mentioned in Slack in #core by zodiac1978. View the logs.

21 months ago

#5 @zodiac1978
21 months ago

  • Severity changed from normal to critical

Got a new install where the hoster is deactivating PHPMailer, this time it is WordPress 5.6.7 (which is the latest version at the moment) and the same unfixed problem.

Therefore changing the severity to critical. These are completely patched WPs which are sending spam.

#6 @zodiac1978
21 months ago

  • Severity changed from critical to normal

It looks like this was coming from not updated form plugins and the PHPMailer was just disabled because it was the last item in the chain. Not the reason itself. Therefore changing back to "normal".

CVE-2021-34551 is just a problem on Windows and CVE-2021-3603 needs another Remote Code Injection to be used (although both could be fixed nevertheless).

Note: See TracTickets for help on using tickets.