RSS Feed

Remote code execution vulnerabilities have been discovered in the popular PHP mail sending libraries PHPMailer and SwiftMailer. Improper validation of email addresses potentially allows an attacker to execute arbitrary code as the user running PHP. These vulnerabilities could be employed for example to send out spam from the server, or to perform denial of service (DoS) attacks against other internet users. Combined with a local privilege escalation vulnerability or poorly set file permissions, they could also be used as a stepping stone to further compromise the server.

The vulnerabilities are fixed in PHPMailer version 5.2.20 and SwiftMailer version 5.4.5. It is highly recommended that all users upgrade to these or later versions as soon as possible. Note that an initial fix for PHPMailer, released as version 5.2.18, was found to be incomplete, so any server running this or version 5.2.19 is still vulnerable.

PHPMailer is used in many popular web applications, including Wordpress, Drupal and Joomla. If you run these or any other applications that include PHPMailer, you should install any updates as soon as they become available. If in doubt, contact the vendor and ask if they are vulnerable to any of the following CVEs, and if fixes are available:


More technical details of these vulnerabilities can be found
 by clicking on the relevant CVE above, or alternatively if you’d prefer to discuss this or any concerns with our support team, please call 0808 133 3247 or submit a support ticket.


CWCS advisors and support are on hand 24/7 365 days a year to assist with your enquiry.