Support » Plugin: Contact Form 7 » PHPMailer (CVE-2016-10033)

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hey folks, I Just wanted to ask the same question. Even the wordpress.org-Registration-E-Mail was sent from a potentially vulnerable version of PHPMailer (5.2.14). A comment on heise.de states, that it is only relevant when sendmail is used.
    https://www.heise.de/forum/heise-online/News-Kommentare/Luecke-in-PHPMailer-erlaubt-die-Ausfuehrung-fremden-Codes/Erklaerung-wie-die-Luecke-funktioniert/posting-29702835/show/ (IN GERMAN)

    @rckaag
    hi have just asked the same virtually a minute after you.
    https://wordpress.org/support/topic/phpmailer-vuln-cve-2016-10033/

    WordPress is already working on it and have a patch; but it’s not pushed to an official WordPress update yet.

    if you look at wp-content/plugins/contact-form-7/includes/mail.php

    add_action( 'phpmailer_init', 'wpcf7_phpmailer_init' );
    
    function wpcf7_phpmailer_init( $phpmailer ) {
    	$wpcf7_content_type = false;
    
    	foreach ( (array) $phpmailer->getCustomHeaders() as $custom_header ) {
    		if ( 'X-WPCF7-Content-Type' == $custom_header[0] ) {
    			$wpcf7_content_type = trim( $custom_header[1] );
    			break;
    		}
    	}
    
    	if ( 'text/html' == $wpcf7_content_type ) {
    		$phpmailer->msgHTML( $phpmailer->Body );
    	}
    }
    

    it appears it uses the WordPress build-in PHPMailer , which would mean it’s vulnerable, but should be sorted very shortly.
    But as you said, would be nice to get a confirmation from the author.

    Cheers, Tom

    • This reply was modified 2 years, 10 months ago by  tombob2006.

    CF7 validates email field types with WP’s is_email() function which seems to block the escaping required for the exploit. I also tried a regular text field, like the default your-subject, and using that in the sender field in the contact form’s config, but could not get it to execute on the server. So as far as I can tell after reading the proof-of-concept and trying to apply it, it’s safe. Don’t take this as an authoritative statement, try it yourself or patch it up before the update rolls out.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PHPMailer (CVE-2016-10033)’ is closed to new replies.