Legal Hackers reported a critical remote execution flaw in PHPMailer, a PHP library used on millions of websites on 26 December 2016. The PHPMailer library is used in WordPress and other popular web applications for sending email and this vulnerability leaves over 9 million websites open to remote code execution.

The vulnerability was discovered by a Polish security researcher, David Golenski of LegalHackers.com and reported by Legal Hackers on Christmas Day. A second security advisory regarding PHPMailer was published by LegalHackers on 27 December 2016. The seond advisory included a “proof of concept” exploit.

WordFence Says “Don’t Panic”

WordFence, a WordPress security firm, and developers of one of the most popular WordPress security plugins published a security notice about this vulnerability on 26 December and updated the article several times since. Their advice is not to panic. The WP Core team has opened an issue with a proposed patch and a WordPress update is expected to be released soon to patch the problem.

Bottom Line: Keep an Eye Out for WordPress Updates

This vulnerability report underlines the importance of keeping on top of WordPress updates for your websites. Website owners should also make it their business to know whether their web hosting providers keep their PHP libraries patched.

Published by Site Geek

My name is Patricia Dumond. I am the founding member and “Chief Geek” at Site Geeks LLC, located in Hinesville, Georgia. I started Site Geeks with one goal in mind: to help small businesses and non-profits get their message out on the web. I live in southeast Georgia. I retired in October 2013 after 34 years of service with the United States Army as both a soldier and a civilian. I have two sons, 5 cats (plus 4 who own my sister and 3 my son dropped off with us on his way to Vermont) and 2 dogs, Mab and Molly. My husband, Paul, passed away in June 2010 and my sister, Roberta (also a widow) came to live with me here in the boondocks. She keeps me company and makes sure I’m fed and have clean clothes (its kind of like having a wife). I’ve worked with computers since they were programmed via punched cards and took up entire rooms. I’ve programmed databases in COBOL. That’s how long I’ve been around computers. I’ve been developing and administering websites since 1999. I’m fluent in all the acronyms: HTML, CSS, PHP, etc… I was on the team that built the first website for Fort Stewart, Georgia, around 2002 — a cemetery database I programmed for the web is still on the site today. I spent my last 4 years as an Army civilian working in web security.