WordPress.org

Make WordPress Core

Opened 2 weeks ago

Last modified 2 days ago

#54739 new defect (bug)

Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above 5.4)

Reported by: zodiac1978 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: needs-patch dev-feedback
Focuses: Cc:

Description

In WordPress 5.3 the PHP Mailer library was updated to the latest version from the 5.2-branch. See #40472

In WordPress 5.5 the PHP Mailer library was updated to the new version 6. See #41750

As background updates are available from 3.7 on we could update the PHP mailer library down to version 3.7 to protect those installations from being abused for spamming.

I checked https://wordpress.org/about/stats/ and WordPress installations with version smaller than 5.3. These sum up to 24.15 %.

We only can background update from 3.7, so we need to look at WordPress 3.7 to 5.2 which shows us 18,52 % of all installation which are unprotected.

This would at least close two from those three known security problems with this version:
https://www.cybersecurity-help.cz/vdb/phpmailer_sourceforge_net/phpmailer/5.2.22/

Quoted from https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27:

Note that the 5.2 branch is deprecated and will not receive security updates after 31st December 2018.

The same goes for WP 5.5 to 5.8
-> WordPress 5.5 (PHP Mailer 6.1.6)
-> WordPress 5.6 (PHP Mailer 6.2)
-> WordPress 5.7 (PHP Mailer 6.3)
-> WordPress 5.7.2 (PHP Mailer 6.4)
-> WordPress 5.7.3 (PHP Mailer 6.5.0)

WordPress 5.9 will contain PHP Mailer 6.5.3 as the latest version.

As version 6.4.1 and 6.5 are security releases this could be relevant too:
https://github.com/PHPMailer/PHPMailer/releases?q=security&expanded=true

Although this is related to security it seems that the other tickets about updating this library are handled in public so I created this one here too.

Change History (6)

This ticket was mentioned in Slack in #core by zodiac1978. View the logs.


10 days ago

#2 @jrf
10 days ago

@zodiac1978 Please check what has been backported already. In the case of older WP versions, the version of PHPMailer shipped with it will generally not be updated anymore, but individually security patches will be (and have been) backported.

So, while the version number of the PHPMailer package shipped with those older WP versions may give the impression it is not a secure version, the actual code shipped is often the official version + backported security patches.

#3 @zodiac1978
10 days ago

Thanks @jrf and @peterwilsoncc for the info about the existing backports.

Looks like CVE-2018-19296 is already fixed and backported.

CVE-2017-11503 is about bad example code which is not bundled in WP, I think.

But CVE-2021-34551 and CVE-2021-3603 are unfixed. I've checked the 4.4 branch as this is the version on a website where I found this issue. At least, I think it is unfixed, as the WP code does not match the fix from the PHPMailer repo. Maybe this is handled different in WP, or it is unfixed.

They have a high risk classification and allow remote code execution.

Because these are fixed in 6.5+ but the 5.2-branch was EOL this seemed to have slipped through.

Update: The fix came with 6.5, so can be seen here: #53430 (The problem is, that the 5.2 branch has this problem too)

Last edited 10 days ago by zodiac1978 (previous) (diff)

This ticket was mentioned in Slack in #core by zodiac1978. View the logs.


10 days ago

#5 @zodiac1978
4 days ago

  • Severity changed from normal to critical

Got a new install where the hoster is deactivating PHPMailer, this time it is WordPress 5.6.7 (which is the latest version at the moment) and the same unfixed problem.

Therefore changing the severity to critical. These are completely patched WPs which are sending spam.

#6 @zodiac1978
2 days ago

  • Severity changed from critical to normal

It looks like this was coming from not updated form plugins and the PHPMailer was just disabled because it was the last item in the chain. Not the reason itself. Therefore changing back to "normal".

CVE-2021-34551 is just a problem on Windows and CVE-2021-3603 needs another Remote Code Injection to be used (although both could be fixed nevertheless).

Note: See TracTickets for help on using tickets.