PHPMailer Security Advisory
By Matt / December 29th, 2016
Exploit type: Remote Code Execution in third-party PHPMailer library
CVE Numbers: CVE-2016-10033 and CVE-2016-10045
All versions of the third-party PHPMailer library distributed with WHMCS are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20.
At this time we do not believe the deficiency in PHPMailer is exposed in WHMCS due to our own validation of user input. Furthermore, the vulnerability requires being able to pass user input unfiltered to a message's "from" address, which in WHMCS is only defined within the admin configuration and only accessible to a trusted admin user.
Irrespective of the known protections in the WHMCS product, this CVE represents a serious issue for PHPMailer. Therefore to mitigate any undiscovered risk or risk to 3rd party extensions using PHPMailer directly, we are releasing updates for all versions of WHMCS in active and long term support to provide the latest PHPMailer library version 5.2.21.
Upgrade to one of the following WHMCS versions:
- WHMCS 7.1.1 - Release Notes
- WHMCS 7.0.3 - Release Notes
- WHMCS 6.3.2 - Release Notes
- WHMCS 6.2.3 - Release Notes
Both full and incremental patch set versions have been made available for all of the above versions and can be downloaded via our Download page.
The incremental patches can be used if you are running the immediate prior release, for example to upgrade from 6.3.1 to 6.3.2. If you are running an older version, you must use the full release download.