Support » Plugin: Contact Form 7 » PHPMailer (CVE-2016-10033)

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hey folks, I Just wanted to ask the same question. Even the was sent from a potentially vulnerable version of PHPMailer (5.2.14). A comment on states, that it is only relevant when sendmail is used. (IN GERMAN)

    hi have just asked the same virtually a minute after you.

    WordPress is already working on it and have a patch; but it’s not pushed to an official WordPress update yet.

    if you look at wp-content/plugins/contact-form-7/includes/mail.php

    add_action( 'phpmailer_init', 'wpcf7_phpmailer_init' );
    function wpcf7_phpmailer_init( $phpmailer ) {
    	$wpcf7_content_type = false;
    	foreach ( (array) $phpmailer->getCustomHeaders() as $custom_header ) {
    		if ( 'X-WPCF7-Content-Type' == $custom_header[0] ) {
    			$wpcf7_content_type = trim( $custom_header[1] );
    	if ( 'text/html' == $wpcf7_content_type ) {
    		$phpmailer->msgHTML( $phpmailer->Body );

    it appears it uses the WordPress build-in PHPMailer , which would mean it’s vulnerable, but should be sorted very shortly.
    But as you said, would be nice to get a confirmation from the author.

    Cheers, Tom

    • This reply was modified 3 years, 1 month ago by tombob2006.

    CF7 validates email field types with WP’s is_email() function which seems to block the escaping required for the exploit. I also tried a regular text field, like the default your-subject, and using that in the sender field in the contact form’s config, but could not get it to execute on the server. So as far as I can tell after reading the proof-of-concept and trying to apply it, it’s safe. Don’t take this as an authoritative statement, try it yourself or patch it up before the update rolls out.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PHPMailer (CVE-2016-10033)’ is closed to new replies.