Legal Hackers reported a critical remote execution flaw in PHPMailer, a PHP library used on millions of websites on 26 December 2016. The PHPMailer library is used in WordPress and other popular web applications for sending email and this vulnerability leaves over 9 million websites open to remote code execution.
The vulnerability was discovered by a Polish security researcher, David Golenski of LegalHackers.com and reported by Legal Hackers on Christmas Day. A second security advisory regarding PHPMailer was published by LegalHackers on 27 December 2016. The seond advisory included a "proof of concept" exploit.
WordFence Says "Don't Panic"
WordFence, a WordPress security firm, and developers of one of the most popular WordPress security plugins published a security notice about this vulnerability on 26 December and updated the article several times since. Their advice is not to panic. The WP Core team has opened an issue with a proposed patch and a WordPress update is expected to be released soon to patch the problem.
Bottom Line: Keep an Eye Out for WordPress Updates
This vulnerability report underlines the importance of keeping on top of WordPress updates for your websites. Website owners should also make it their business to know whether their web hosting providers keep their PHP libraries patched.