CyberSec.Space Logo
Back to CVE Browser

CVE-2016-10045

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1640%
EPSS Percentile9.88th
PublishedDec 30, 2016
Last ModifiedMay 6, 2026

Vulnerability Description

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Affected Platforms (CPE)

πŸ“¦
Phpmailer Project

Phpmailer

< 5.2.20
πŸ“¦
Wordpress

Wordpress

<= 4.7
πŸ“¦
Joomla

Joomla\!

>= 1.5.0 and <= 3.6.5

References & Advisories

πŸ”— http://openwall.com/lists/oss-security/2016/12/28/1
πŸ”— http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html
πŸ”— http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
πŸ”— http://seclists.org/fulldisclosure/2016/Dec/81
πŸ”— http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
πŸ”— http://www.securityfocus.com/archive/1/539967/100/0/threaded
πŸ”— http://www.securityfocus.com/bid/95130
πŸ”— http://www.securitytracker.com/id/1037533

Related Vulnerabilities

CVE-2008-561910.0

html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alp...

CVE-2016-100339.8

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to ...

CVE-2020-363269.8

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: th...

CVE-2018-192968.8

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.