[wp-trac] [WordPress Trac] #54739: Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above 5.4)
WordPress Trac
noreply at wordpress.org
Tue Jan 4 16:59:57 UTC 2022
#54739: Upgrade PHPMailer to 5.2.27 for WordPress < 5.3 (and to 6.5.3 for above
5.4)
--------------------------------+--------------------------------------
Reporter: zodiac1978 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: External Libraries | Version:
Severity: normal | Keywords: needs-patch dev-feedback
Focuses: |
--------------------------------+--------------------------------------
In WordPress 5.3 the PHP Mailer library was updated to the latest version
from the 5.2-branch. See #40472
In WordPress 5.5 the PHP Mailer library was updated to the new version 6.
See #41750
As background updates are available from 3.7 on we could update the PHP
mailer library down to version 3.7 to protect those installations from
being abused for spamming.
I checked https://wordpress.org/about/stats/ and WordPress installations
with version smaller than 5.3. These sum up to 24.15 %.
We only can background update from 3.7, so we need to look at WordPress
3.7 to 5.2 which shows us 18,52 % of all installation which are
unprotected.
This would at least close two from those three known security problems
with this version:
https://www.cybersecurity-
help.cz/vdb/phpmailer_sourceforge_net/phpmailer/5.2.22/
Quoted from https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27:
> Note that the 5.2 branch is deprecated and will not receive security
updates after 31st December 2018.
The same goes for WP 5.5 to 5.8
-> WordPress 5.5 (PHP Mailer 6.1.6)
-> WordPress 5.6 (PHP Mailer 6.2)
-> WordPress 5.7 (PHP Mailer 6.3)
-> WordPress 5.7.2 (PHP Mailer 6.4)
-> WordPress 5.7.3 (PHP Mailer 6.5.0)
WordPress 5.9 will contain PHP Mailer 6.5.3 as the latest version.
As version 6.4.1 and 6.5 are security releases this could be relevant too:
https://github.com/PHPMailer/PHPMailer/releases?q=security&expanded=true
Although this is related to security it seems that the other tickets about
updating this library are handled in public so I created this one here
too.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54739>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list