#54739 closed defect (bug) (invalid)
Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above 5.4)
Reported by: | zodiac1978 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | External Libraries | Keywords: | |
Focuses: | Cc: |
Description
In WordPress 5.3 the PHP Mailer library was updated to the latest version from the 5.2-branch. See #40472
In WordPress 5.5 the PHP Mailer library was updated to the new version 6. See #41750
As background updates are available from 3.7 on we could update the PHP mailer library down to version 3.7 to protect those installations from being abused for spamming.
I checked https://wordpress.org/about/stats/ and WordPress installations with version smaller than 5.3. These sum up to 24.15 %.
We only can background update from 3.7, so we need to look at WordPress 3.7 to 5.2 which shows us 18,52 % of all installation which are unprotected.
This would at least close two from those three known security problems with this version:
https://www.cybersecurity-help.cz/vdb/phpmailer_sourceforge_net/phpmailer/5.2.22/
Quoted from https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27:
Note that the 5.2 branch is deprecated and will not receive security updates after 31st December 2018.
The same goes for WP 5.5 to 5.8
-> WordPress 5.5 (PHP Mailer 6.1.6)
-> WordPress 5.6 (PHP Mailer 6.2)
-> WordPress 5.7 (PHP Mailer 6.3)
-> WordPress 5.7.2 (PHP Mailer 6.4)
-> WordPress 5.7.3 (PHP Mailer 6.5.0)
WordPress 5.9 will contain PHP Mailer 6.5.3 as the latest version.
As version 6.4.1 and 6.5 are security releases this could be relevant too:
https://github.com/PHPMailer/PHPMailer/releases?q=security&expanded=true
Although this is related to security it seems that the other tickets about updating this library are handled in public so I created this one here too.
Change History (8)
This ticket was mentioned in Slack in #core by zodiac1978. View the logs.
3 years ago
#3
@
3 years ago
Thanks @jrf and @peterwilsoncc for the info about the existing backports.
Looks like CVE-2018-19296 is already fixed and backported.
CVE-2017-11503 is about bad example code which is not bundled in WP, I think.
But CVE-2021-34551 and CVE-2021-3603 are unfixed. I've checked the 4.4 branch as this is the version on a website where I found this issue. At least, I think it is unfixed, as the WP code does not match the fix from the PHPMailer repo. Maybe this is handled different in WP, or it is unfixed.
They have a high risk classification and allow remote code execution.
Because these are fixed in 6.5+ but the 5.2-branch was EOL this seemed to have slipped through.
Update: The fix came with 6.5, so can be seen here: #53430 (The problem is, that the 5.2 branch has this problem too)
This ticket was mentioned in Slack in #core by zodiac1978. View the logs.
3 years ago
#5
@
3 years ago
- Severity changed from normal to critical
Got a new install where the hoster is deactivating PHPMailer, this time it is WordPress 5.6.7 (which is the latest version at the moment) and the same unfixed problem.
Therefore changing the severity to critical. These are completely patched WPs which are sending spam.
#6
@
3 years ago
- Severity changed from critical to normal
It looks like this was coming from not updated form plugins and the PHPMailer was just disabled because it was the last item in the chain. Not the reason itself. Therefore changing back to "normal".
CVE-2021-34551 is just a problem on Windows and CVE-2021-3603 needs another Remote Code Injection to be used (although both could be fixed nevertheless).
@zodiac1978 Please check what has been backported already. In the case of older WP versions, the version of PHPMailer shipped with it will generally not be updated anymore, but individually security patches will be (and have been) backported.
So, while the version number of the PHPMailer package shipped with those older WP versions may give the impression it is not a secure version, the actual code shipped is often the official version + backported security patches.