[wp-trac] [WordPress Trac] #45838: Update PHPMailer to latest 5.2 version
WordPress Trac
noreply at wordpress.org
Fri Jan 4 19:24:36 UTC 2019
#45838: Update PHPMailer to latest 5.2 version
--------------------------+-----------------------------
Reporter: ayeshrajans | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Mail | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
**Motivation/Problem**
WordPress includes a verbatim copy of PHPMailer as the underline email
client. The current version in use is `5.2.22`.
All versions prior to 5.2.27 are now considered insecure due to two recent
security fixes, namely
[CVE-2018-19296](https://nvd.nist.gov/vuln/detail/CVE-2018-19296) and
[CVE-2017-11503](https://nvd.nist.gov/vuln/detail/CVE-2017-11503).
CVE-2017-11503 (XSS) does not apply to WordPress because the test files
are not present in WordPress. However, the other vulnerability
CVE-2018-19296 (Phar RCE) _does_ apply to us if a contributed plugin is
not properly sanitizing the attachment URIs. This vulnerability got a
fairly big coverage in relevant media, and because there are PoCs already
spread, I did not use the HackerOne program because this is not a
vulnerability in WordPress itself.
**Suggestion solution**
Upgrade PHPMailer library to the latest version without breaking backwards
compatibility. The latest is 5.2.27, and includes fixes for said
vulenrabilities.
{{{
git clone git at github.com:PHPMailer/PHPMailer.git --branch 5.2-stable
cd PHPMailer
git diff v5.2.22..v5.2.27 > phpmailer-5-2-27-upgrade.patch
}}}
This generated patch can be applied on `src/wp-includes/class-
phpmailer.php` manually with a few hunk changes, but the patch applies
successfully. I have applied a patch against WordPress 5.0 branch.
Thank you.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45838>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list