Critical PHPMailer & SwiftMailer Security Updates

Although the PHPMailer vulnerability was posted to our Script Security Forum a couple days ago, the widespread and critical nature of these warrants a post here as well. PHPMailer and SwiftMailer are both libraries used for sending emails. A very large number of scripts use one of these two libraries, including WordPress, Drupal, SugarCRM, Joomla and many others. Both libraries contain similar remote code execution vulnerabilities that can be exploited under certain circumstances.

It is very important that you make sure all instances of these libraries are updated. This will, unfortunately, be difficult to pinpoint in some cases since many plugins also include these libraries. Every core script, plugin and theme that you use should be investigated to determine whether or not these libraries are included and require updating.

All instances of PHPMailer must be updated to 5.2.21 or higher, which can be downloaded here.

All instances of SwiftMailer must be updated to 5.4.5 or higher, which can be downloaded here.

This would also be a good time to examine your plugins and themes to make sure they are all being actively maintained. As a general rule, if they haven’t received any updates within 6 months you should be concerned. If they haven’t received any updates within the past year, they probably shouldn’t be used at all.

The ongoing use of abandoned projects are one of the bigger risks that face websites like those powered by WordPress. While such a plugin may appear to be all good and up-to-date from within the WordPress admin panel, the developers may not have touched it in years and the project page may no longer even exist. As such, a regular audit of these is a very good idea and in general you should stick to more popular options when possible.

If you run into any issues with updating or have any questions please feel free to post a comment here, post on our forums or submit a ticket via our portal.

Leave a Reply