RESOLVED: WordPress SECURITY flaw: WP registration DISABLED at MOMENT!! PHPMAILER lib critical vulnerability

User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

RESOLVED: WordPress SECURITY flaw: WP registration DISABLED at MOMENT!! PHPMAILER lib critical vulnerability

Post by axew3 »

- CVE-2016-10033
- Release date: 25.12.2016
- Revision 1.0
- Severity: Critical
registrations disabled on WordPress side, due to a vulnerability on
PHPMailer < 5.2.18 Remote Code Execution.
WordPress, even on latest 4.7, come with version PHPMailer 5.2.14, so if you own a WordPress based site, or a site based on a CMS that embed and use PHPMailer, you should DO THE SAME, and at least disable registrations and contact forms until a security patch has not been released!
https://legalhackers.com/advisories/PHP ... -Vuln.html
"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"
p.s but you can register here in phpBB side: phpBB not use PHPmailer, so has not been temporary disabled.
User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

WordPress: PHPMAILER lib critical vulnerability seem to not affect

Post by axew3 »

Thank you, we're well aware of the issue.

At this time, we have determined that WordPress core is not vulnerable to this exploit. We are searching for plugins and themes that may open up such a vulnerability, but we have not found any so far.

A future version of WordPress will likely contain an update for this library.

-Otto
User avatar
axew3
w3all User
w3all User
Posts: 2883
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: RESOLVED: WordPress SECURITY flaw: WP registration DISABLED at MOMENT!! PHPMAILER lib critical vulnerability

Post by axew3 »

p.s look there aren't plugins installed on your WP that are using the PHPMAILER class.
Post Reply