PHPMailer Command Injection in WordPress Core via Exim

Added: 05/17/2017
BID: 95108

Background

Wordpress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress uses PHPMailer, which is a PHP class used for sending email from PHP. PHPMailer provides an interface to the system's mail transfer agent (MTA), such as Sendmail, Postfix, or Exim. Exim4 is the default MTA installed on newer Debian and Ubuntu systems.

Problem

PHPMailer class mailSend() function is vulnerable to command injection due to failure to properly sanitize the destination email address. Exploiting this vulnerability in WordPress along with Exim's expansion testing mode allows remote code execution.

Resolution

Upgrade to WordPress Core version 4.7.1 or later to obtain an updated version of PHPMailer.

References

https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html

Limitations

Exploit works on WordPress Core 4.6 and probably other versions before 4.7.1.

The target must have wget or curl and the Exim mail transfer agent.
Back to exploit index