A critical PHPMailer bug has found to be affecting millions of websites hosted on popular open source CMS platforms. The bug is related to the communication in email and feedback forms on websites based on WordPress, Drupal and Joomla.
Security researcher Dawid Golunski has first discovered the bug. An attacker can remotely execute arbitrary code using a web server to comprise the security of web applications, Golunski revealed.
Over nine million websites vulnerable
The vulnerability (CVE-2016-10033) is found on the way websites handle web-based email submission forms using PHPMailer component. The researcher estimated that the same component is used by over nine million websites to enable registration forms and email submissions.
It has been spotted that an attacker targets common website elements like registration, feedback, email submission forms to gain backdoor access. The developers behind PHPMailer were quick to push an update, and its version 5.2.18 has fixed the vulnerability.
However, just a few days later Golunski found another vulnerability (CVE-2016-10045) that has made all versions of PHPMailer vulnerable again.
WordPress and Drupal have issued the warnings on their official channel. Drupal has even flagged it as a highly critical vulnerability. Additionally platforms like 1CRM, Yii and SugarCRM has also been impacted by the PHPMailer vulnerability.